ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
Ann Banner (13)

‘Fancy Product Designer’ Website Plugin Zero-Day Vulnerability

2 June, 2021

Event Summary

On May 31, 2021, the WordFence Threat Intelligence team discovered and disclosed a critical file upload vulnerability in ‘Fancy Product Designer’ plugin.  This vulnerability affects both WordPress and WooCommerce websites and allows for Remote Code Execution (RCE). The Fancy Product Designer plugin exists in over 17,000 websites and has been observed being exploited in the wild as far back as May 16, 2021.  At this time, minimal details are being provided due to the active exploitation of this vulnerability.

Details

CVE-2021-24370

CVSS 9.8

This security flaw exists because the plugin has insufficient checks in place and because existing checks can be easily bypassed, allowing for the upload of malicious files without authentication.

An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with Remote Code Execution (RCE) capabilities and allow the complete take over a website.

Indicators of Compromise

Successful exploitation results in a file with a unique ID and a PHP extension, which will appear in a subfolder of either

“wp-admin” or “wp-content/plugins/fancy-product-designer/inc”

with the date the file was uploaded. For instance:

“wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php”

“wp-admin/2021/05/31/1d4609806ff0f4e89a3fb5fa35678fa0.php”

 

Known Source IPs of this attack:

69.12.71[.]82

92.53.124[.]123

46.53.253[.]152

Recommendations

As a patch is currently not available, it is highly recommended to completely uninstall the Fancy Product Designer plugin until a security patch becomes available.

 

SOD Actions

Security On-Demand’s SOC Team continues to search your environment for these indicators to identify any key vulnerabilities. The Security On-Demand Threat Recon Unit will continue to monitor these events and will notify you of any critical changes as they are released. We highly recommend that you uninstall the Product Designer plugin on your website and please contact us if you have any questions.

Sources

WordFence – Critical 0-day in Fancy Product Designer Under Active Attack

SecurityWeek – Actively Exploited Zero-Day Found in WordPress Plugin Used by Many Online Stores

Bleeping Computer – Critical WordPress plugin zero-day under active exploitation