Security News > 2021 > June > Critical WordPress plugin zero-day under active exploitation
Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.
Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.
"The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable," threat analyst Ram Gall told BleepingComputer.
Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.
While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than four months ago, on January 30, 2021.
Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to immediately install the Fancy Product Designer 4.6.9 patched version released on June 2.
News URL
Related news
- Critical zero-days impact premium WordPress real estate plugins (source)
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)