Zeroday: WordPress plugin Fancy Product Designer

Attackers are actively exploiting a zero-day leak in the WordPress plugin Fancy Product Designer, putting more than 17,000 sites at risk of being taken over. A security update to fix the issue is not yet available. This is reported by security company Wordfence .

Fancy Product Designer is a WordPress plugin that allows online stores to let their customers upload files such as images and PDF documents. For example, for designing your own T-shirts, cups, posters or mouse pads. The plug-in does not appear to properly check whether malicious files are being uploaded. This makes it possible to upload PHP files on any website that uses the plugin, allowing attackers to completely take over the website.

The vulnerability, CVE-2021-24370, has been rated 9.8 on a severity scale of 1 to 10. Wordfence discovered on May 31 that the vulnerability has been actively used to take over WordPress sites since at least May 16.

The security company warned the developers of the plug-in. They haven't released a security update yet. Because of the active attacks, Wordfence decided to warn users already. Details about the vulnerability will not be made public until after the patch is released.

Previous Post Next Post