More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.
Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well.
This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The issue, they explain, could be exploited in certain configurations even if the plugin has been deactivated.
Tracked as CVE-2021-24370 and featuring a CVSS score of 9.8, the security bug exists because the plugin has insufficient checks in place and because existing checks can easily be bypassed, thus allowing for the upload of malicious files.
An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with the ability to execute code remotely and completely take over a website.
Wordfence has refrained from providing further details on the vulnerability, but says it will release additional technical information once a patch has been released.
However, the security firm did share indicators of compromise (IOCs), which include the presence of a file with a unique ID and a PHP extension in the wp-admin or wp-content/plugins/fancy-product-designer/inc subfolders.
The bug, Wordfence says, has been under attack since at least May 16, with most assaults coming from three IP addresses only, suggesting a small scale operation.
The developer of Fancy Product Designer was informed about the vulnerability on May 31, the day the Wordfence team noticed the attacks.