WordPress Plugin “Fancy Product Designer” Found to Have a Serious Zero-Day Vulnerability
A serious zero-day vulnerability has been discovered in Fancy Product Designer, a WordPress plugin. It is possible to be attacked by exploiting the vulnerability. Here are the affected versions and how to resolve the issue.
What is Fancy Product Designer?
Fancy Product Designer is a plugin that allows users to design and customize any kind of product.
It also allows users to upload product images and PDF files.
It is estimated to be installed on over 17,000 WordPress installations.
There is a vulnerability that allows malicious PHP files to be uploaded. Attackers can remotely execute code and even hijack entire sites.
The attacker is targeting e-commerce sites and seems to be trying to extract order information.
If you have a large number of files in dated directories under “wp-admin” or “wp-content/plugins/fancy-product-designer/inc”, you may have been attacked.
All versions of Fancy Product Designer 4.6.8 and earlier
The severity of the vulnerability is classified as Critical, which means that the vulnerability will be affected even if the plugin is disabled.
Version 4.6.9, which fixes this vulnerability, was released on June 2, 2021.
If you have enabled Fancy Product Designer, the following is the solution.
- Update to the latest version 4.6.9
- Completely delete the plugin if it is not needed