Fancy Product Designer, a WordPress plugin put in on over 17,000 websites, has been found to comprise a important file add vulnerability that is being actively exploited within the wild to add malware onto websites which have the plugin put in.
Wordfence’s menace intelligence group, which found the flaw, stated it reported the problem to the plugin’s developer on Could 31. Whereas the flaw has been acknowledged, it is but to be addressed.
Fancy Product Designer is a device that allows companies to supply customizable merchandise, permitting prospects to design any form of merchandise starting from T-shirts to cellphone circumstances by providing the power to add pictures and PDF recordsdata that may be added to the merchandise.
“Sadly, whereas the plugin had some checks in place to stop malicious recordsdata from being uploaded, these checks have been inadequate and will simply be bypassed, permitting attackers to add executable PHP recordsdata to any website with the plugin put in,” Wordfence said in a write-up revealed on Tuesday.
Armed with this functionality, an attacker can obtain distant code execution on an affected web site, permitting full website takeover, the researchers famous. Wordfence has not shared the technical specifics of the vulnerability because it’s beneath lively assault.
Wordfence stated that the important zero-day might be exploited in choose configurations even when the plugin has been deactivated, urging customers to utterly uninstall Fancy Product Designer till a patched model turns into accessible.
That is removed from the primary time Wordfence has disclosed extreme points in WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft captcha plugin was discovered to have an effect on 300,000 websites.
Then earlier this yr, the researchers revealed vulnerabilities in Elementor and WP Tremendous Cache that, if efficiently exploited, may enable an attacker to run arbitrary code and take over an internet site in sure situations.