Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that’s being actively exploited in the wild to upload malware onto sites that have the plugin installed.
Wordfence’s threat intelligence team, which discovered the flaw, said it reported the issue to the plugin’s developer on May 31. While the flaw has been acknowledged, it’s yet to be addressed.
Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products.
“Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed,” Wordfence said in a write-up published on Tuesday.
Armed with this capability, an attacker can achieve remote code execution on an affected website, allowing full site takeover, the researchers noted. Wordfence has not shared the technical specifics of the vulnerability as it found evidence of it being abused as early as January 30.
Wordfence said that the critical zero-day could be exploited in select configurations even if the plugin has been deactivated, urging users to completely uninstall Fancy Product Designer until a patched version becomes available.
This is far from the first time Wordfence has disclosed severe issues in WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft captcha plugin was found to affect 300,000 sites.
Then earlier this year, the researchers revealed vulnerabilities in Elementor and WP Super Cache that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.
Update: The maintainers of Fancy Product Designer have released an update (version 4.6.9) to remediate the aforementioned file upload vulnerability. Wordence has also shared the revised indicators of compromise (IoC) associated with the attack, which can be accessed here.