Wordfence discovered a zero-day vulnerability ( CVE-2021-24370 ) in a popular WordPress plugin called Fancy Product Designer.
The vulnerability is actively exploited by cybercriminals within the framework of attacks to download malware onto websites.
“The plugin contains some protection measures to prevent downloading malicious files. Unfortunately, this was not enough, and the hackers easily bypassed the protection and started uploading executable PHP files to any site with the plugin installed, “Wordfence said in a message.
According to experts, using this vulnerability, an attacker can achieve remote code execution on an infected website and completely take control of it.
Wordfence does not disclose the technical details of the vulnerability, as it is used in real-world attacks.
The issue scored 9.8 out of a maximum 10 on the CVSS scale and affects versions of Fancy Product Designer prior to 4.6.9.
In some cases, the 0Day vulnerability can be exploited even if the plugin has been deactivated. The issue has been fixed in Fancy Product Designer plugin version 4.6.9
Catch up on more articles here
Follow us on Twitter here