Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites
Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products.
Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for an attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.
Indicators Of Compromise
In most cases, a successful attack results in a file with a unique ID and a PHP extension, which will appear in a subfolder of eitherwp-admin
orwp-content/plugins/fancy-product-designer/inc
with the date, the file was uploaded. For instance:
wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php
or
wp-admin/2021/05/31/1d4609806ff0f4e89a3fb5fa35678fa0.php
The majority of attacks against this vulnerability are coming from the following IP addresses:
69.12.71.82
92.53.124.123
46.53.253.152
Wordfence Threat Intelligence team indicates that this vulnerability is likely not being attacked on a large scale but has been exploited since at least May 16, 2021.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.