Security News > 2021 > June > Critical WordPress plugin zero-day under active exploitation
Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.
Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.
"The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable," threat analyst Ram Gall told BleepingComputer.
Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.
While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than four months ago, on January 30, 2021.
Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to immediately install the Fancy Product Designer 4.6.9 patched version released on June 2.
News URL
Related news
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Palo Alto Networks tackles firewall-busting zero-days with critical patches (source)
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)