Security researchers have uncovered a new critical zero-day vulnerability in a WordPress plugin that threat actors are actively exploiting.
Websites running the Fancy Product Designer plugin – which is currently installed on over 17,000 sites – are being scanned by threat actors to exploit a zero-day bug that allows them to bypass built-in checks and upload malware.
“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on 1st of June,” explained threat analyst Ram Gall.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”
Wordfence issued a new rule to its paid firewall product on Monday, with subsequent updates to its free version on June 30 to protect customers from the attacks.
However, the attacks targeting the thousands of sites running the Fancy Product Designer plugin began more than two weeks ago, on 16th May 2021. The vulnerability is still active, although it has currently only been exploited on a small scale. Customers are advised to uninstall the plugin until a patched release is available.