Wordfence discovered a zero-day vulnerability (CVE-2021-24370) in the popular Fancy Product Designer WordPress plugin. The vulnerability is actively exploited by cybercriminals as part of attacks to upload malware on websites.

“The plugin contains some protection measures in place to prevent malicious files from being uploaded. Unfortunately, it was not enough, and the hackers could easily bypass the protection and start to upload executable PHP files to any site with the plugin installed, " reads the post published by the Wordfence experts.

According to experts, with the help of this vulnerability, an attacker could achieve remote code execution on an infected website and full site takeover. The flaw has been rated with a CVSS score of 9.8 and affects versions of Fancy Product Designer prior to 4.6.9.

In some cases, the 0Day vulnerability could be exploited even if the plugin has been deactivated. The issue has been fixed in Fancy Product Designer plugin version 4.6.9.

Source: securitylab.ru