1 min read

Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds

Silviu STAHIE

June 04, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Currently Active WordPress Plugin Vulnerability Lets Attackers Take Full Control, Research Finds

Security researchers have identified a vulnerability in the Fancy Product Designer plugin for WordPress that attackers are using right now in the wild, allowing them to upload malware to websites that use the plugin.

Countless malware campaigns use vulnerable websites to distribute compromised files or extract data. One way attackers do this is by taking control of websites that harbor a vulnerability, like the one in the Fancy Product Designer plugin.

The more popular the plugin, the more impact it will have on the online ecosystems, increasing its attractiveness to attackers. According to researchers from Wordfence, more than 17,000 websites use the Fancy Product Designer plugin.

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products,” said the researchers. “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The vulnerability is being exploited right now, which is why the researchers didn’t share too much, except indicators of compromise and a few other details. The plugin developers already released an update that fixes the problem, but it will take a while until enough websites switch to the new version.

From what the researchers found so far, the attacker seems to be targeting e-commerce sites and attempting to extract order information from site databases. The latest information shows that the vulnerability has been used since Jan. 30, 2021, at the least.

Websites using the Fancy Product Designer plugin are urged to upgrade to the latest version as soon as possible. Just disabling the plugin is not sufficient.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Do You Make $5,000 a Week? These Investment Scammers Sure Want To Do You Make $5,000 a Week? These Investment Scammers Sure Want To
Alina BÎZGĂ

October 05, 2021

2 min read
Cybercriminals Deliver Async Remote Access Trojan in New Resume-Based Malspam Campaign Cybercriminals Deliver Async Remote Access Trojan in New Resume-Based Malspam Campaign
Alina BÎZGĂ

September 24, 2021

2 min read
No, Walmart is Not Giving You an iPhone 13. Follow These Steps to Stay Clear from Giveaway and Sweepstakes Scams No, Walmart is Not Giving You an iPhone 13. Follow These Steps to Stay Clear from Giveaway and Sweepstakes Scams
Alina BÎZGĂ

September 17, 2021

2 min read