Security News > 2021 > June > Hackers Actively Exploiting 0-Day in WordPress Plugin Installed on Over 17,000 Sites
Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that's being actively exploited in the wild to upload malware onto sites that have the plugin installed.
Wordfence's threat intelligence team, which discovered the flaw, said it reported the issue to the plugin's developer on May 31.
Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products.
"Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed," Wordfence said in a write-up published on Tuesday.
This is far from the first time Wordfence has disclosed severe issues in WordPress plugins.
In December 2017, a hidden backdoor in BestWebSoft captcha plugin was found to affect 300,000 sites.