Fancy Product Designer, a WordPress plugin put in on over 17,000 websites, has been found to comprise a vital file add vulnerability that is being actively exploited within the wild to add malware onto websites which have the plugin put in.
Wordfence’s risk intelligence workforce, which found the flaw, mentioned it reported the problem to the plugin’s developer on Might 31. Whereas the flaw has been acknowledged, it is but to be addressed.
Fancy Product Designer is a instrument that permits companies to supply customizable merchandise, permitting prospects to design any form of merchandise starting from T-shirts to cellphone circumstances by providing the flexibility to add pictures and PDF recordsdata that may be added to the merchandise.
“Sadly, whereas the plugin had some checks in place to forestall malicious recordsdata from being uploaded, these checks had been inadequate and will simply be bypassed, permitting attackers to add executable PHP recordsdata to any web site with the plugin put in,” Wordfence said in a write-up revealed on Tuesday.
Armed with this functionality, an attacker can obtain distant code execution on an affected web site, permitting full web site takeover, the researchers famous. Wordfence has not shared the technical specifics of the vulnerability because it’s underneath energetic assault.
Wordfence mentioned that the vital zero-day may very well be exploited in choose configurations even when the plugin has been deactivated, urging customers to utterly uninstall Fancy Product Designer till a patched model turns into out there.
That is removed from the primary time Wordfence has disclosed extreme points in WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft captcha plugin was discovered to have an effect on 300,000 websites.
Then earlier this 12 months, the researchers revealed vulnerabilities in Elementor and WP Tremendous Cache that, if efficiently exploited, may enable an attacker to run arbitrary code and take over a web site in sure situations.