A major WordPress plugin flaw is being actively exploited in the wild – TechRadar

TechRadar is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
By Mayank Sharma last updated
Uninstall the plugin until a patch is available, suggest security researchers
Update: Wordfence has said that a patched version of the compromised plugin is now available as of June 2, 2021. Kathy Zant, Director of Marketing at Defiant, Inc who develop Wordfence added: “We’ve added some indicators of compromise to our story as well as some details on hacker motives, which appear to be e-commerce related.”
Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild. 
In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on over 17,000 sites.
The Fancy Product Designer plugin offers users the ability to upload images and PDF files that can then be added to listed products on a website. 
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
>> Click here to start the survey in a new window<<
Wordfence discovered that although the plugin has some checks to prevent malicious files from being uploaded, these can be bypassed. As a result, threat actors could upload executable PHP code, for any sort of Remote Code Execution (RCE) attack including full site takeovers.
Wordfence contacted the plugin’s developer the same day it discovered the vulnerability being exploited in the wild, and received a response within 24 hours. 
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” write the Wordfence researchers.
The critical zero-day vulnerability is exploitable in some configurations even if the plugin has been deactivated, warns Wordfence, urging all users to completely uninstall the plugin until a patched version is available.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Thank you for signing up to TechRadar. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.


Registered for Cape Town Website Design Agency