Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds
Security researchers have identified a vulnerability in the Fancy Product Designer plugin for WordPress that attackers are using right now in the wild, allowing them to upload malware to websites that use the plugin.
Countless malware campaigns use vulnerable websites to distribute compromised files or extract data. One way attackers do this is by taking control of websites that harbor a vulnerability, like the one in the Fancy Product Designer plugin.
The more popular the plugin, the more impact it will have on the online ecosystems, increasing its attractiveness to attackers. According to researchers from Wordfence, more than 17,000 websites use the Fancy Product Designer plugin.
“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products,” said the researchers. “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”
The vulnerability is being exploited right now, which is why the researchers didn’t share too much, except indicators of compromise and a few other details. The plugin developers already released an update that fixes the problem, but it will take a while until enough websites switch to the new version.
From what the researchers found so far, the attacker seems to be targeting e-commerce sites and attempting to extract order information from site databases. The latest information shows that the vulnerability has been used since Jan. 30, 2021, at the least.
Websites using the Fancy Product Designer plugin are urged to upgrade to the latest version as soon as possible. Just disabling the plugin is not sufficient.
Ultimate Privacy Guide for Your Facebook Account
August 31, 2021
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices
August 27, 2021
Your Netflix Account May Be on Sale on Darkweb. Protect It
August 13, 2021
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
FOLLOW US ON
You might also like
August 23, 2021
August 20, 2021
August 12, 2021