Websites using Fancy Product Designer are susceptible to remote code execution attacks even if the plugin is deactivated

Cybercriminals have been actively exploiting a zero-day vulnerability in Fancy Product Designer, a WordPress plugin used by more than 17,000 websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.

Attackers have been observed using the zero-day to deliver malware to the sites with the plugin installed. There is evidence indicating that the security loophole, which can be misused for full website takeover, was exploited as early as January 30th of this year.

The plugin enables users to customize any type of products ranging from clothing articles to accessories and household items by uploading their own images or PDF files. It is used by a variety of platforms, including WordPress, WooCommerce and Shopify.

“Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” warned Wordfence QA Engineer Ram Gall.

Based on Defiant’s analysis, the majority of the attacks appear to come from three specific IP addresses. The attackers are targeting e-commerce websites with the aim of getting their hands on order information from the vendor’s databases. The data that could be extracted from these orders may include customers’ personally identifiable information. Thich could spell problems for website operators since it puts them at risk of violating PCI-DSS (Payment Card Industry Data Security Standard) compliance rules.

Per the PCI Compliance Guide, penalties for non-compliance could range from US$5,000 up to US$100,000 per month for violations. On that note, it’s also worth mentioning that if the website handles the data of EU citizens and their information is exposed, the businesses would run afoul of the European Union’s General Data Protection Regulation (GDPR), which could also bring hefty fines.

According to the report, if an attack is successful, several files will appear in either the wp-admin or wp-content/plugins subfolder, with an initial payload delivered that is then used to retrieve additional malware from another website.

The Wordfence team notified the plugin’s developer about the vulnerability on May 31st, receiving a response within 24 hours. A patched version, Fancy Product Designer 4.6.9, was rolled out on June 2nd. The administrators of websites running the plugin are advised to patch it immediately since in some specific configuration, the vulnerability could be exploited even if the plugin itself is deactivated.