Fancy Product Designer, a WordPress plugin put in on over 17,000 websites, has been found to comprise a crucial file add vulnerability that is being actively exploited within the wild to add malware onto websites which have the plugin put in.
Wordfence’s menace intelligence group, which found the flaw, stated it reported the difficulty to the plugin’s developer on Might 31. Whereas the flaw has been acknowledged, it is but to be addressed.
Fancy Product Designer is a software that permits companies to supply customizable merchandise, permitting prospects to design any sort of merchandise starting from T-shirts to cellphone instances by providing the flexibility to add photos and PDF information that may be added to the merchandise.
“Sadly, whereas the plugin had some checks in place to forestall malicious information from being uploaded, these checks had been inadequate and will simply be bypassed, permitting attackers to add executable PHP information to any web site with the plugin put in,” Wordfence said in a write-up revealed on Tuesday.
Armed with this functionality, an attacker can obtain distant code execution on an affected web site, permitting full web site takeover, the researchers famous. Wordfence has not shared the technical specifics of the vulnerability because it’s below lively assault.
Wordfence stated that the crucial zero-day might be exploited in choose configurations even when the plugin has been deactivated, urging customers to utterly uninstall Fancy Product Designer till a patched model turns into out there.
That is removed from the primary time Wordfence has disclosed extreme points in WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft captcha plugin was discovered to have an effect on 300,000 websites.
Then earlier this yr, the researchers revealed vulnerabilities in Elementor and WP Tremendous Cache that, if efficiently exploited, may permit an attacker to run arbitrary code and take over an internet site in sure eventualities.