Critical Zero-Day Flaw Actively Exploited in WordPress Fancy Product Designer Plugin

A critical zero-day vulnerability has been discovered in a WordPress plugin called Fancy Product Designer. A Wordfence Threat Intelligence team from WordPress security company Defiant alerted about this vulnerability. The vulnerability is under active attack, which is tracked as CVE-2021-24370 by using a vulnerability scanning tool. Successful exploitation of the vulnerability allows remote attackers to bypass the firewall’s built-in file upload protection, which blocks malicious file upload. As a result, attackers can deploy PHP files and execute them. To mitigate this vulnerability, we can use a patch management solution.

Fancy Product Designer is a premium plugin for WordPress, WooCommerce, and Shopify stores. It allows customers to design and customize their products of any kind. It also enables customers to upload images and pdf files of the products to their website.  Fancy Product Designer plugin is installed on more than 17000 websites.

A critical (CVSS Score: 9.8) unauthenticated arbitrary file upload and remote code execution vulnerability is found in the Fancy Product Designer plugin for WordPress and WooCommerce. Though Wordfence firewall has built-in file upload protection that blocks malicious file upload, it was possible to bypass the protection mechanism in some configurations. Also, it is possible to exploit the flaw even when the plugin has been deactivated.

However, successful exploitation of the vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and aid in full site takeover. Moreover, according to the Wordfence security team’s analysis, attackers are trying to fetch order information from e-commerce site’s databases. Since this information usually contains customer’s personal details, an e-commerce site using a vulnerable version of the plugin ends up violating PCI-DSS compliance.

Usually, successful exploitation allows the attackers to place a file in subfolders of wp-admin
or wp-content/plugins/fancy-product-designer/inc

wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php
orwp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php

Also, the vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and full site takeover.

Fancy Product Designer plugin before version 4.6.9

However, to address this vulnerability, the plugin developer has release version 4.6.9 for the Fancy Product Designer plugin. Also, Wordfence has released new firewall rules to its premium customer to protect from this vulnerability, and free customers will get this update on June 30th.

Furthermore, Use SanerNow EDR to query the machines for IOCs and identify if a machine compromised.