A zero-day bug in the Fancy Product Designer plugin in WordPress sites has been actively exploited by threat actors to upload malware.
Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify which allows users to customize products using their own graphics and content.
The plugin has been sold and installed on more than 17,000 websites.
Zero-days are publicly disclosed vulnerabilities which the vendors haven’t patched, and in some cases, are also actively exploited in the wild or have publicly available proof-of-concept exploits.
The security flaw is a critical severity remote code execution (RCE) vulnerability and it was discovered by Wordfence security analyst Charles Sweethill.
The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable.
The attacks in the plugin in Shopify version would likely be blocked, as Shopify uses stricter access controls for sites hosted and running on its platform.
By successfully exploiting the Fancy Product Designer bug, it is possible to bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.
This allows the threat actors to completely take over vulnerable sites following remote code execution attacks.
Threat analyst Ram Gall said that due to this vulnerability being actively attacked, they are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.
Even though the vulnerability has only been exploited on a small scale, the attacks targeting thousands of sites running the Fancy Product Designer plugin have started more than two weeks ago, on May 16, 2021.
The users using this plugin are advised to uninstall it until a patched release is available.