Governance & Risk Management , IT Risk Management , Patch Management

Uninstall Now: Critical WordPress Plug-In Flaw Exploited

Fancy Product Designer Flaw Allows Remote Code Execution
Uninstall Now: Critical WordPress Plug-In Flaw Exploited
Users are advised to uninstall the Fancy Product Designer plug-in. (Image: Fancy Product Design)

Hackers are exploiting a critical zero-day flaw in the WordPress plug-in Fancy Product Designer, which allows remote code execution, the Wordfence Threat Intelligence team at Defiant Inc. says. Because a patch has not yet been released, the team urges users to immediately uninstall the vulnerable plug-in.

Wordfence is a WordPress security solution from the WordPress security firm Defiant Inc.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

The Fancy Product Designer plug-in, a platform for online product designing, is compatible with multiple platforms, says Ram Gall, a security analyst at Defiant.

Attackers are exploiting the critical remote code vulnerability in the plug-in to upload malicious files, Gall says. Although WordPress has a built-in firewall, hackers are bypassing it to exploit the flaw and achieve remote code execution before attempting a full site takeover, he adds.

Defiant says it's working with the Fancy Product Designer plug-in's developer to mitigate the flaw.

"As this is a critical zero-day under active attack and is exploitable in some configurations even if the plug-in has been deactivated, we urge anyone using this plug-in to completely uninstall Fancy Product Designer, if possible, until a patched version is available," Gall says.

Defiant did not respond to a request for comment.

Other Incidents

Attackers have also exploited other unpatched WordPress plug-in flaws in recent incidents.

In May, hackers targeted a water treatment plant in Oldsmar, Florida, by compromising a contractor's website that ran on WordPress and contained several vulnerable plug-ins (see: Watering Hole Attack Targeted Florida Water Utilities).

In March, Wordfence Threat Intelligence researchers at Defiant identified five vulnerabilities in Tutor LMS, a WordPress plug-in installed on more than 20,000 sites. The flaws were later patched (see: WordPress LMS Tutor Plug-In Flaws Patched).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.