2 June, 2021
On May 31, 2021, the WordFence Threat Intelligence team discovered and disclosed a critical file upload vulnerability in ‘Fancy Product Designer’ plugin. This vulnerability affects both WordPress and WooCommerce websites and allows for Remote Code Execution (RCE). The Fancy Product Designer plugin exists in over 17,000 websites and has been observed being exploited in the wild as far back as May 16, 2021. At this time, minimal details are being provided due to the active exploitation of this vulnerability.
This security flaw exists because the plugin has insufficient checks in place and because existing checks can be easily bypassed, allowing for the upload of malicious files without authentication.
An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with Remote Code Execution (RCE) capabilities and allow the complete take over a website.
Indicators of Compromise
Successful exploitation results in a file with a unique ID and a PHP extension, which will appear in a subfolder of either
“wp-admin” or “wp-content/plugins/fancy-product-designer/inc”
with the date the file was uploaded. For instance:
Known Source IPs of this attack:
As a patch is currently not available, it is highly recommended to completely uninstall the Fancy Product Designer plugin until a security patch becomes available.
Security On-Demand’s SOC Team continues to search your environment for these indicators to identify any key vulnerabilities. The Security On-Demand Threat Recon Unit will continue to monitor these events and will notify you of any critical changes as they are released. We highly recommend that you uninstall the Product Designer plugin on your website and please contact us if you have any questions.