Critical Zero-Day Vulnerability in WordPress Plugin

Critical Zero-Day Vulnerability in WordPress Plugin

Wordpress home page

Security researchers have uncovered a new critical zero-day vulnerability in a WordPress plugin that threat actors are actively exploiting.

Websites running the Fancy Product Designer plugin – which is currently installed on over 17,000 sites – are being scanned by threat actors to exploit a zero-day bug that allows them to bypass built-in checks and upload malware.

The vulnerability was discovered by experts at security vendor Wordfence, who have created a report detailing indicators of compromise, including IP addresses used to launch the ongoing attacks.

“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on 1st of June,” explained threat analyst Ram Gall.

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”

Wordfence issued a new rule to its paid firewall product on Monday, with subsequent updates to its free version on June 30 to protect customers from the attacks.

However, the attacks targeting the thousands of sites running the Fancy Product Designer plugin began more than two weeks ago, on 16th May 2021. The vulnerability is still active, although it has currently only been exploited on a small scale. Customers are advised to uninstall the plugin until a patched release is available.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]