Menace actors are scanning for websites working the Fancy Product Designer plugin to use a zero-day bug permitting them to add malware.
Fancy Product Designer is a visible product configurator plugin for WordPress, WooCommerce, and Shopify, and it permits clients to customise merchandise utilizing their very own graphics and content material.
In keeping with gross sales statistics for the plugin, Fancy Product Designer has been offered and put in on greater than 17,000 web sites.
Zero-day additionally impacts WooCommerce websites
Zero-days are publicly disclosed vulnerabilities distributors have not patched, which, in some instances, are additionally actively exploited within the wild or have publicly accessible proof-of-concept exploits.
“The WordPress model of the plugin is the one utilized in WooCommerce installations as effectively and is susceptible,” risk analyst Ram Gall informed BleepingComputer.
On the subject of the plugin’s Shopify model, assaults would possible be blocked, provided that Shopify makes use of stricter entry controls for websites hosted and working on its platform.
Weak websites uncovered to finish takeover
Attackers who efficiently exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious information importing to deploy executable PHP information on websites the place the plugin is put in.
This enables the risk actors to fully take over susceptible websites following distant code execution assaults.
“Resulting from this vulnerability being actively attacked, we’re publicly disclosing with minimal particulars though it has not but been patched with the intention to alert the neighborhood to take precautions to maintain their websites protected,” Gall said.
Whereas the vulnerability has solely been exploited on a small scale, the assaults focusing on the 1000’s of web sites working the Fancy Product Designer plugin have began greater than two weeks in the past, on Might 16, 2021.
Because the vulnerability is underneath lively exploitation and was rated as vital severity, clients are suggested to uninstall the plugin till a patched launch is out there.
Indicators of compromise, together with IP addresses used to launch these ongoing assaults, can be found on the finish of WordFence’s report.
The Fancy Product Designer improvement workforce didn’t reply to BleepingComputer’s request for remark earlier than the article was revealed.