WordPress Plugin “Fancy Product Designer” Found to Have a Serious Zero-Day Vulnerability

Last updated:

A serious zero-day vulnerability has been discovered in Fancy Product Designer, a WordPress plugin. It is possible to be attacked by exploiting the vulnerability. Here are the affected versions and how to resolve the issue.

What is Fancy Product Designer?

Fancy Product Designer is a plugin that allows users to design and customize any kind of product.

Fancy Product Designer

It also allows users to upload product images and PDF files.

It is estimated to be installed on over 17,000 WordPress installations.

Vulnerability Description

There is a vulnerability that allows malicious PHP files to be uploaded. Attackers can remotely execute code and even hijack entire sites.

The attacker is targeting e-commerce sites and seems to be trying to extract order information.

If you have a large number of files in dated directories under “wp-admin” or “wp-content/plugins/fancy-product-designer/inc”, you may have been attacked.

Affected versions

All versions of Fancy Product Designer 4.6.8 and earlier

Vulnerability Severity

The severity of the vulnerability is classified as Critical, which means that the vulnerability will be affected even if the plugin is disabled.

Solution

Version 4.6.9, which fixes this vulnerability, was released on June 2, 2021.

If you have enabled Fancy Product Designer, the following is the solution.

go to top