On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.
We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.
While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.
As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available.
Unauthenticated Arbitrary File Upload and Remote Code Execution
Fancy Product Designer
Plugin Slug: fancy-product-designer
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Charles Sweethill/Ram Gall
Fully Patched Version:
Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.
We will provide a more detailed technical explanation of the vulnerability once it has been patched.
Indicators of Compromise
In most cases a successful attack results in a file with a unique ID and a PHP extension, which will appear in a subfolder of either
with the date the file was uploaded. For instance:
The majority of attacks against this vulnerability are coming from the following IP addresses:
Our research indicates that this vulnerability is likely not being attacked on a large scale but has been exploited since at least May 16, 2021.
May 31, 2021 15:05 UTC – Wordfence Security Analyst Charles Sweethill finds evidence of a previously unknown vulnerability during malware removal and forensic investigation as part of a site cleaning and begins investigating possible attack vectors.
May 31, 2021 15:45 UTC – Charles notifies the Wordfence Threat Intelligence team and a full investigation begins.
May 31, 2021 16:20 UTC – We develop an initial proof of concept and begin work on a firewall rule.
May 31, 2021 17:06 UTC – We initiate contact with the plugin developer.
May 31, 2021 18:59 UTC – We release the firewall rule protecting against this vulnerability to Wordfence Premium customers.
June 1, 2021 09:03 UTC – The plugin developer responds to our initial contact.
June 1, 2021 13:35 UTC – We send over full disclosure.
June 30, 2021 – Firewall rule becomes available to free Wordfence users.
In today’s article, we covered a critical 0-day vulnerability in Fancy Product Designer that is being actively attacked and used to upload malware onto sites that have the plugin installed.
While Wordfence Premium users should be protected against this vulnerability, we urge any users of this plugin to completely uninstall it until a patch is available, as it is possible in some configurations to exploit the vulnerability even if the plugin is deactivated.
We will continue to monitor the situation and follow up as more information becomes available.
Special Thanks to Wordfence Security Analyst Charles Sweethill for discovering the vulnerability, determining the most likely vectors and indicators of compromise, and testing the firewall rule during a holiday.