Critical 0-day in Fancy Product Designer Under Active Attack

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available.


Description: Unauthenticated Arbitrary File Upload and Remote Code Execution
Affected Plugin: Fancy Product Designer
Plugin Slug: fancy-product-designer
Affected Versions: <= 4.6.8
CVE ID: Pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Charles Sweethill/Ram Gall
Fully Patched Version: Pending

Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for  any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.

We will provide a more detailed technical explanation of the vulnerability once it has been patched.

Indicators of Compromise

In most cases a successful attack results in a file with a unique ID and a PHP extension, which will appear in a subfolder of either
wp-admin
or
wp-content/plugins/fancy-product-designer/inc
with the date the file was uploaded. For instance:

wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php

or

wp-admin/2021/05/31/1d4609806ff0f4e89a3fb5fa35678fa0.php

The majority of attacks against this vulnerability are coming from the following IP addresses:

69.12.71.82
92.53.124.123
46.53.253.152

Our research indicates that this vulnerability is likely not being attacked on a large scale but has been exploited since at least May 16, 2021.

Timeline

May 31, 2021 15:05 UTC – Wordfence Security Analyst Charles Sweethill finds evidence of a previously unknown vulnerability during malware removal and forensic investigation as part of a site cleaning and begins investigating possible attack vectors.
May 31, 2021 15:45 UTC – Charles notifies the Wordfence Threat Intelligence team and a full investigation begins.
May 31, 2021 16:20 UTC – We develop an initial proof of concept and begin work on a firewall rule.
May 31, 2021 17:06 UTC – We initiate contact with the plugin developer.
May 31, 2021 18:59 UTC – We release the firewall rule protecting against this vulnerability to Wordfence Premium customers.
June 1, 2021 09:03 UTC – The plugin developer responds to our initial contact.
June 1, 2021 13:35 UTC – We send over full disclosure.
June 30, 2021 – Firewall rule becomes available to free Wordfence users.

Conclusion

In today’s article, we covered a critical 0-day vulnerability in Fancy Product Designer that is being actively attacked and used to upload malware onto sites that have the plugin installed.

While Wordfence Premium users should be protected against this vulnerability, we urge any users of this plugin to completely uninstall it until a patch is available, as it is possible in some configurations to exploit the vulnerability even if the plugin is deactivated.

We will continue to monitor the situation and follow up as more information becomes available.

Special Thanks to Wordfence Security Analyst Charles Sweethill for discovering the vulnerability, determining the most likely vectors and indicators of compromise, and testing the firewall rule during a holiday.

The post Critical 0-day in Fancy Product Designer Under Active Attack appeared first on Wordfence.

More great articles

Vulnerabilities Patched in Page Builder by SiteOrigin Affects Over 1 Million Sites

On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a…

Read Story

Cross Site Scripting in YITH WooCommerce Ajax Product Filter

During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+…

Read Story

Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites

On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.