Last Updated on July 1, 2021 by Calvin C.
A critical zero-day was discovered by Wordfence on May 31, 2021 where hackers exploited a Fancy Product Designer plugin vulnerability, although this was quickly patched in v4.6.9 on June 2, 2021.
- This means if you have this plugin installed on your WordPress site, you need to update to the latest version asap.
Fancy Product Designer Plugin
The plugin is installed in over 17,000 WordPress sites and the Wordfence threat intelligence team found a critical file upload vulnerability.
Using this flaw, hackers are able to upload malware to any site that has the plugin installed.
Fortunately, the developer was alerted on time and quickly released an update with a patch of the vulnerability.
- Description: Unauthenticated Arbitrary File Upload and Remote Code Execution
- Affected Plugin: Fancy Product Designer
- Plugin Slug: fancy-product-designer
- Affected Versions: < 4.6.9
- CVE ID: CVE-2021-24370
- CVSS Score: 9.8 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Researcher/s: Charles Sweethill/Ram Gall
- Fully Patched Version: 4.6.9
Fancy Product Designer is a cool tool that allows customers to customize a product to their liking e.g. mugs, T-shirt, phone cases and more.
This increases the product range and allows adaptation to an ever-changing environment with ease.
For someone running an e-commerce website, this tool opens doors to new possibilities.
In a publication, Wordfence said:
“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.”
Further details in the report were as follows:
“While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.”
According to Wordfence, before the update was rolled out, the plugin had insufficient checks to prevent malware from being uploaded.
This allowed attackers to upload executable PHP files in any site with the plugin.
Once the file is uploaded, an attacker gains the capability to take over the site remotely, usually with devastating consequences.
What’s shocking is that the vulnerability was exploited as far back as January 2020, according to findings!
Even if a user deactivated the plugin, attackers would still have access to the site, unless it is uninstalled completely.
It is important to keep all plugins up-to-date if you have a WordPress site.
How to update to a new version
To access the new, patched version is easy.
Login to Code Canyon and visit the product page where you check the download link.
Once you have downloaded the patched version of the plugin, upload it to your WordPress site.
A word of thanks to the Wordfence threat intelligence team for detecting this critical zero-day vulnerability.
The developers also swiftly patched the flaw and this saved many sites from malware attack.
Make sure you use plugins that you really need on your site because any redundant plugins can open portals to malware attacks.
Are you taking the necessary measures to protect your business or your personal data from cyberattacks when online.
Subscribe to our newsletter so that you receive daily updates on how you can stay safe on the web.
If you work with sensitive information online, or you don’t want third parties eavesdropping on your internet activities, consider using a VPN.
- Our overall best VPN is NordVPN, because of superior security features and openness to security audits.
- Hides your IP address
- Strictly no logs
- Zero DNS leaks
- 68% off a 2-year plan
- 30-day money-back guarantee
Check out other premium VPN services.
Leave comments below and share the post with your friends.