- A new security risk has been discovered by the Threat Intelligence team at Wordfence.
- The vulnerability affects a WordPress plugin that allows the upload of images and PDF files for products.
- A threat report states that it is under active attack since January 30, 2021.
A new vulnerability has been found in a WordPress plugin that affects over 17,000 websites. The vulnerability is actively being exploited to collect customer information from these e-commerce sites.
The security lapse was discovered by the Wordfence Threat Intelligence team on May 31. As per a report by the cybersecurity firm, a critical file upload vulnerability was found by security analyst Charles Sweethill in a WordPress plugin named Fancy Product Designer.
The plugin is used by ecommerce website owners to upload images and PDF files for products on their online store. The report mentions that the vulnerability has been exploited actively since January 30, 2021. However, the attacks have been limited and from specific IP addresses.
The one attacker who accounts for the majority of these attacks seems to be targeting e-commerce sites and attempting to extract order information from their databases. The report highlights that this order information "contains personally identifiable information from customers."
The attackers bypassed insufficient checks on the plugin that prevented the upload of malicious files. They uploaded executable PHP files to the websites with the plugin installed, thus allowing Remote Code Execution and, eventually, a full site takeover.
In its report, Wordfence shares the common identifiers for victims of such an attack. It states that a successful attack results in a number of additional files in most cases. These files appear in a subfolder of either "wp-admin" or "wp-content/plugins/fancy-product-designer/inc."
Wordfence informed the developers of the plugin and released a patch for its customers on the same day of this discovery. The developers of Fancy Product Designer have also released a new version of the plugin - 4.6.9. Wordfence advises the users of this plugin to update it to the latest version.
The update is also important since this is a Zero-day vulnerability under active attack. Wordfence warns that it is exploitable in some configurations, even if the plugin is deactivated. Updating to the latest version is thus the only effective measure as of now.
Since attackers can still exploit the vulnerability, the threat intelligence report does not share more information on it as of now. It says it will share more technicalities of the attacks once more users update to the patched version of the plugin.