Uninstall Now: Critical WordPress Plug-In Flaw ExploitedFancy Product Designer Flaw Allows Remote Code Execution
Hackers are exploiting a critical zero-day flaw in the WordPress plug-in Fancy Product Designer, which allows remote code execution, the Wordfence Threat Intelligence team at Defiant Inc. says. Because a patch has not yet been released, the team urges users to immediately uninstall the vulnerable plug-in.
Wordfence is a WordPress security solution from the WordPress security firm Defiant Inc.
The Fancy Product Designer plug-in, a platform for online product designing, is compatible with multiple platforms, says Ram Gall, a security analyst at Defiant.
Attackers are exploiting the critical remote code vulnerability in the plug-in to upload malicious files, Gall says. Although WordPress has a built-in firewall, hackers are bypassing it to exploit the flaw and achieve remote code execution before attempting a full site takeover, he adds.
Defiant says it's working with the Fancy Product Designer plug-in's developer to mitigate the flaw.
"As this is a critical zero-day under active attack and is exploitable in some configurations even if the plug-in has been deactivated, we urge anyone using this plug-in to completely uninstall Fancy Product Designer, if possible, until a patched version is available," Gall says.
Defiant did not respond to a request for comment.
Attackers have also exploited other unpatched WordPress plug-in flaws in recent incidents.
In May, hackers targeted a water treatment plant in Oldsmar, Florida, by compromising a contractor's website that ran on WordPress and contained several vulnerable plug-ins (see: Watering Hole Attack Targeted Florida Water Utilities).
In March, Wordfence Threat Intelligence researchers at Defiant identified five vulnerabilities in Tutor LMS, a WordPress plug-in installed on more than 20,000 sites. The flaws were later patched (see: WordPress LMS Tutor Plug-In Flaws Patched).