Critical WordPress Plug-In Flaw Exploited

Governance & Risk Management
,
IT Risk Management
,
Patch Management

Fancy Product Designer Flaw Allows Remote Code Execution

Uninstall Now: Critical WordPress Plug-In Flaw Exploited
Users are advised to uninstall the Fancy Product Designer plug-in. (Image: Fancy Product Design)

Hackers are exploiting a critical zero-day flaw in the WordPress plug-in Fancy Product Designer, which allows remote code execution, the Wordfence Threat Intelligence team at Defiant Inc. says. Because a patch has not yet been released, the team urges users to immediately uninstall the vulnerable plug-in.

Wordfence is a WordPress security solution from the WordPress security firm Defiant Inc.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

The Fancy Product Designer plug-in, a platform for online product designing, is compatible with multiple platforms, says Ram Gall, a security analyst at Defiant.

Attackers are exploiting the critical remote code vulnerability in the plug-in to upload malicious files, Gall says. Although WordPress has a built-in firewall, hackers are bypassing it to exploit the flaw and achieve remote code execution before attempting a full site takeover, he adds.

Defiant says it’s working with the Fancy Product Designer plug-in’s developer to mitigate the flaw.

“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plug-in has been deactivated, we urge anyone using this plug-in to completely uninstall Fancy Product Designer, if possible, until a patched version is available,” Gall says.

Defiant did not respond to a request for comment.

Other Incidents

Attackers have also exploited other unpatched WordPress plug-in flaws in recent incidents.

In May, hackers targeted a water treatment plant in Oldsmar, Florida, by compromising a contractor’s website that ran on WordPress and contained several vulnerable plug-ins (see: Watering Hole Attack Targeted Florida Water Utilities).

In March, Wordfence Threat Intelligence researchers at Defiant identified five vulnerabilities in Tutor LMS, a WordPress plug-in installed on more than 20,000 sites. The flaws were later patched (see: WordPress LMS Tutor Plug-In Flaws Patched).

Similar Posts