In the latest WordPress developments, a zero-day vulnerability within the Fancy Product Designer plugin has been under active exploitation by threat actors.
WordPress Plugin Fancy Product Designer contains zero-day:
According to the latest findings by Defiant published in a blog post, the Fancy Product Designer WordPress plugin, which is employed by more than 17,000 websites, contains a critical zero-day.
Defiant, which makes Wordfence security plugins for WordPress, notes that malicious actors are exploiting the zero-day vulnerability to deploy malware to the website using the Fancy Product Designer WordPress plugin.
Analytical evidence suggests that the zero-day has been under active exploitation since at least January.
WordPress plugin Fancy Product Designer allows the customization of products ranging from clothing articles to accessories and household items by uploading their images or PDF files. It is used by a variety of platforms, including WordPress, WooCommerce, and Shopify.
“Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for an attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” alerted Wordfence QA Engineer Ram Gall.
Impact of the zero-day exploit:
Defiant has been successfully analyzing the attacks due to the zero-day and has found that these attacks pinpoint 3 specific UP addresses.
It can be observed that the main targets of these attacks are e-commerce websites with the intention of accessing vendor databases.
The data that can be potentially compromised in such targeted attacks can include customers’ personally identifiable information.
A successful attack scenario can is seen in the form of numerous files appearing in either the wp-admin or wp-content/plugins subfolder.
In such a case, a primary payload is delivered to the website that is subsequently used to fetch supplementary malware from another website.
Patch deployed in the updated version:
The Fancy Product Designer WordPress plugin had been notified of the critical zero-day vulnerability on May 31st by the Wordfence team.
In a prompt response, a patch was deployed within 24 hours, addressing the zero-day that comes in the Fancy Product Designer version 4.6.9, which came on June 2.
The administrators of websites running the plugin are advised to apply the security patch as soon as possible since, in some specific configuration, the vulnerability could be exploited even if the plugin itself is deactivated.