Cyber Security

Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites

Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that’s being actively exploited in the wild to upload malware onto sites that have the plugin installed.

Wordfence’s threat intelligence team, which discovered the flaw, said it reported the issue to the plugin’s developer on May 31. While the flaw has been acknowledged, it’s yet to be addressed.

Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products.

“Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed,” Wordfence said in a write-up published on Tuesday.

Armed with this capability, an attacker can achieve remote code execution on an affected website, allowing full site takeover, the researchers noted. Wordfence has not shared the technical specifics of the vulnerability as it’s under active attack.

Wordfence said that the critical zero-day could be exploited in select configurations even if the plugin has been deactivated, urging users to completely uninstall Fancy Product Designer until a patched version becomes available.

This is far from the first time Wordfence has disclosed severe issues in WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft captcha plugin was found to affect 300,000 sites.

Then earlier this year, the researchers revealed vulnerabilities in Elementor and WP Super Cache that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.

Articles You May Like

iPhone 15 Brings New Battery Settings Option to Limit Charging Beyond 80 Percent: Report
Vivo Y56 5G Now Available in 4GB RAM and 128GB Storage Variant in India: Details
Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge
5 Smart TV Deals on Amazon You Shouldn’t Miss: From Sony Bravia 55-Inch to Redmi 32-Inch; Here’s the List
Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score