A critical zero-day vulnerability has been discovered in a WordPress plugin called Fancy Product Designer. A Wordfence Threat Intelligence team from WordPress security company Defiant alerted about this vulnerability. The vulnerability is under active attack, which is tracked as CVE-2021-24370 by using a vulnerability scanning tool. Successful exploitation of the vulnerability allows remote attackers to bypass the firewall’s built-in file upload protection, which blocks malicious file upload. As a result, attackers can deploy PHP files and execute them. To mitigate this vulnerability, we can use a patch management solution.
Fancy Product Designer is a premium plugin for WordPress, WooCommerce, and Shopify stores. It allows customers to design and customize their products of any kind. It also enables customers to upload images and pdf files of the products to their website. Fancy Product Designer plugin is installed on more than 17000 websites.
WordPress Plugin Vulnerability Details (CVE-2021-24370)
A critical (CVSS Score: 9.8) unauthenticated arbitrary file upload and remote code execution vulnerability is found in the Fancy Product Designer plugin for WordPress and WooCommerce. Though Wordfence firewall has built-in file upload protection that blocks malicious file upload, it was possible to bypass the protection mechanism in some configurations. Also, it is possible to exploit the flaw even when the plugin has been deactivated.
However, successful exploitation of the vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and aid in full site takeover. Moreover, according to the Wordfence security team’s analysis, attackers are trying to fetch order information from e-commerce site’s databases. Since this information usually contains customer’s personal details, an e-commerce site using a vulnerable version of the plugin ends up violating PCI-DSS compliance.
The following are the Indicators of Compromise:
Usually, successful exploitation allows the attackers to place a file in subfolders of wp-admin
or wp-content/plugins/fancy-product-designer/inc
For Ex:
wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php
or
wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php
Followings are the list files used in this attack and their MD5 hash as per Wordfence:
Impact
Also, the vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and full site takeover.
Affected Applications
Fancy Product Designer plugin before version 4.6.9
Solutions
However, to address this vulnerability, the plugin developer has release version 4.6.9 for the Fancy Product Designer plugin. Also, Wordfence has released new firewall rules to its premium customer to protect from this vulnerability, and free customers will get this update on June 30th.
Furthermore, Use SanerNow EDR to query the machines for IOCs and identify if a machine compromised.