[BreachExchange] Hackers Actively Exploiting 0-Day in WordPress Plugin Installed on Over 17,000 Sites
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Wed Jun 2 15:44:07 EDT 2021
https://thehackernews.com/2021/06/hackers-actively-exploiting-0-day-in.html
Fancy Product Designer, a WordPress plugin installed on over 17,000 sites,
has been discovered to contain a critical file upload vulnerability that's
being actively exploited in the wild to upload malware onto sites that have
the plugin installed.
Wordfence's threat intelligence team, which discovered the flaw, said it
reported the issue to the plugin's developer on May 31. While the flaw has
been acknowledged, it's yet to be addressed.
Fancy Product Designer is a tool that enables businesses to offer
customizable products, allowing customers to design any kind of item
ranging from T-shirts to phone cases by offering the ability to upload
images and PDF files that can be added to the products.
"Unfortunately, while the plugin had some checks in place to prevent
malicious files from being uploaded, these checks were insufficient and
could easily be bypassed, allowing attackers to upload executable PHP files
to any site with the plugin installed," Wordfence said in a write-up
published on Tuesday.
Armed with this capability, an attacker can achieve remote code execution
on an affected website, allowing full site takeover, the researchers noted.
Wordfence has not shared the technical specifics of the vulnerability as
it's under active attack.
Wordfence said that the critical zero-day could be exploited in select
configurations even if the plugin has been deactivated, urging users to
completely uninstall Fancy Product Designer until a patched version becomes
available.
This is far from the first time Wordfence has disclosed severe issues in
WordPress plugins. In December 2017, a hidden backdoor in BestWebSoft
captcha plugin was found to affect 300,000 sites.
Then earlier this year, the researchers revealed vulnerabilities in
Elementor and WP Super Cache that, if successfully exploited, could allow
an attacker to run arbitrary code and take over a website in certain
scenarios.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210602/495b97d7/attachment.html>
More information about the BreachExchange
mailing list