1 min read

Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds

Silviu STAHIE

June 04, 2021

Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds

Security researchers have identified a vulnerability in the Fancy Product Designer plugin for WordPress that attackers are using right now in the wild, allowing them to upload malware to websites that use the plugin.

Countless malware campaigns use vulnerable websites to distribute compromised files or extract data. One way attackers do this is by taking control of websites that harbor a vulnerability, like the one in the Fancy Product Designer plugin.

The more popular the plugin, the more impact it will have on the online ecosystems, increasing its attractiveness to attackers. According to researchers from Wordfence, more than 17,000 websites use the Fancy Product Designer plugin.

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products,” said the researchers. “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The vulnerability is being exploited right now, which is why the researchers didn’t share too much, except indicators of compromise and a few other details. The plugin developers already released an update that fixes the problem, but it will take a while until enough websites switch to the new version.

From what the researchers found so far, the attacker seems to be targeting e-commerce sites and attempting to extract order information from site databases. The latest information shows that the vulnerability has been used since Jan. 30, 2021, at the least.

Websites using the Fancy Product Designer plugin are urged to upgrade to the latest version as soon as possible. Just disabling the plugin is not sufficient.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Advance-Fee Scammers Impersonate Exiled Afghan President to Defraud Unsuspecting Recipients Advance-Fee Scammers Impersonate Exiled Afghan President to Defraud Unsuspecting Recipients
Alina BÎZGĂ

August 23, 2021

3 min read
The Windows vs. macOS Security Debate Is Slowly Becoming Irrelevant The Windows vs. macOS Security Debate Is Slowly Becoming Irrelevant
Silviu STAHIE

August 20, 2021

3 min read
Fraudsters Impersonate USPS in Phishing Campaign to Steal Your Credit Card Data Fraudsters Impersonate USPS in Phishing Campaign to Steal Your Credit Card Data
Alina BÎZGĂ

August 12, 2021

2 min read