[Update] Popular WordPress plugin actively exploited: Uninstall Fancy Product Designer completely to secure website, cautions Wordfence

Fancy Product Designer Plugin WordPress Security Vulnerability
Actively exploited WordPress plugin. Pic credit: Kevin Phillips/Pixabay

A popular WordPress plugin is under active exploitation. ‘Fancy Product Designer’ contains a simple yet critical vulnerability that can grant a potential attacker complete control of the website.

The Fancy Product Designer plugin for WordPress has a critical file upload vulnerability that as-yet-unknown threat actors are actively exploiting. The security flaw has one of the highest vulnerability ratings.

Security researchers issue warning about a critical new zero-day vulnerability in a WordPress plugin:

Security researchers have discovered that Fancy Product Designer, a popular WordPress plugin, is vulnerable to exploitation. The plugin is currently active on 17,000 websites that rely on WordPress.

Fancy Product Designer plugin enables businesses to offer customizable products. This is essentially a consumer-facing customization tool that allows customers to design any kind of item. It could T-shirts or phone cases. Customers can upload images and PDF files, which sellers can then add to the products.

The threat intelligence team working at Wordfence first discovered the security flaw and quickly alerted the creators of the plugin. Incidentally, the plugin creators even responded within 24 hours, confirmed threat analyst Ram Gall.

“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01, 2021”.

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected”.

Uninstalling the Fancy Product Designer plugin for WordPress is the only protection from the actively exploited security vulnerability:

What the above statement means is that there is no active defense or patch that secures the plugin for WordPress. The only way to shield a website from possible exploitation is to completely uninstall the plugin.

“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available”.

In simple words, merely disabling the plugin does not work. The file upload vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8, tagged as ‘Critical’.

Gall has warned that an attacker could upload executable PHP files to any site with the plugin installed. “This effectively makes it possible for an attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover”.

Incidentally, the Fancy Product Designer plugin has some checks to block malicious file uploads. However, a determined attacker can easily bypass the checks.

[Update] The creators of the plugin have issued an update. Needless to mention, users must immediately update the same.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x

Warning: Undefined variable $posts in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Trying to access array offset on value of type null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Attempt to read property "post_author" on null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309