Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.
Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.
Zero-day also impacts WooCommerce sites
Zero-days are publicly disclosed vulnerabilities vendors haven’t patched, which, in some cases, are also actively exploited in the wild or have publicly available proof-of-concept exploits.
The security flaw is a critical severity remote code execution (RCE) vulnerability discovered by Wordfence security analyst Charles Sweethill on Monday.
“The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable,” threat analyst Ram Gall told BleepingComputer.
When it comes to the plugin’s Shopify version, attacks would likely be blocked, given that Shopify uses stricter access controls for sites hosted and running on its platform.
Vulnerable sites exposed to complete takeover
Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.
This allows the threat actors to completely take over vulnerable sites following remote code execution attacks.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” Gall said.
While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than two weeks ago, on May 16, 2021.
Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to uninstall the plugin until a patched release is available.
Indicators of compromise, including IP addresses used to launch these ongoing attacks, are available at the end of WordFence’s report.
The Fancy Product Designer development team did not reply to BleepingComputer’s request for comment before the article was published.
Source: https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-zero-day-under-active-exploitation/