A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise.
On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.
We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.
While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.
As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.