Critical Zero-Day Discovered in Fancy Product Designer WordPress Plug-in

The plug-in under active attack has been installed on more than 17,000 websites, say researchers.

Dark Reading Staff, Dark Reading

June 3, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

A recently discovered critical file upload vulnerability is being actively exploited in Fancy Product Designer, a WordPress plug-in installed on more than 17,000 websites.

Researchers from Wordfence, which develops security solutions to protect WordPress, says it found the vulnerability on Monday. The Wordfence Intelligence Team contacted the plug-in's developer the same day and received a response within 24 hours. 

While the Wordfence firewall's built-in file upload protection blocks most attacks targeting this vulnerability, the team found a bypass is possible in some configurations. Wordfence released a new firewall rule to premium customers on Monday, though websites running the free version of Wordfence will receive the rule after 30 days, on June 30.

"As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available," Wordfence says in a statement.

Wordfence says research finds the vulnerability is likely not being targeted on a large scale but has been exploited since at least May 16, 2021.

More details are available here.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights