WordPress has recently discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on more than 17,000 websites.
The content management system provider says it found the vulnerability on Monday. The Wordfence Intelligence Team contacted the plugin’s developer the same day and received a response within 24 hours. Wordfence is a security plugin for sites that use WordPress.
While the Wordfence firewall’s built-in file upload protection blocks most attacks targeting this vulnerability, the team found a bypass is possible in some configurations. WordPress released a new firewall rule to premium customers on Monday, though websites running the free version of Wordfence will receive the rule after 30 days, on June 30.
“As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available,” WordPress says in a statement.
WordPress says research finds the vulnerability is likely not being targeted on a large scale but has been exploited since at least May 16, 2021.
More details are available from WordPress here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio