Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds

Security researchers have identified a vulnerability in the Fancy Product Designer plugin for WordPress that attackers are using right now in the wild, allowing them to upload malware to websites that use the plugin.

Countless malware campaigns use vulnerable websites to distribute compromised files or extract data. One way attackers do this is by taking control of websites that harbor a vulnerability, like the one in the Fancy Product Designer plugin.

The more popular the plugin, the more impact it will have on the online ecosystems, increasing its attractiveness to attackers. According to researchers from Wordfence, more than 17,000 websites use the Fancy Product Designer plugin.

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products,” said the researchers. “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The vulnerability is being exploited right now, which is why the researchers didn’t share too much, except indicators of compromise and a few other details. The plugin developers already released an update that fixes the problem, but it will take a while until enough websites switch to the new version.

From what the researchers found so far, the attacker seems to be targeting e-commerce sites and attempting to extract order information from site databases. The latest information shows that the vulnerability has been used since Jan. 30, 2021, at the least.

Websites using the Fancy Product Designer plugin are urged to upgrade to the latest version as soon as possible. Just disabling the plugin is not sufficient.