Fancy Product Designer, a WordPress plugin used on over 17,000 websites, contains a critical file upload vulnerability that is currently being exploited in the wild to upload malware to websites where the plugin is installed.
The vulnerability was identified by Wordfence’s Threat Intelligence team and reported to the vendor on May 31. Although the issue has been identified, it has yet to be fixed.
Fancy Product Designer is a platform that allows businesses to offer personalized items. Customers can design anything from t-shirts to phone cases by uploading photos and PDF files that can then be integrated into the product.
Wordfence said in a write-up published on Tuesday that “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed”.
Signs of compromise
Under most circumstances, a successful attack creates a set of files that are stored in a subfolder of either wp-admin or wp-content/plugins/fancy-product-designer/inc with the date the file was uploaded. For instance: wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php or wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php
The following filenames and MD5 hashes are associated with this attack:
ass.php – MD5 3783701c82396cc96d842839a291e813. This is the original payload, a dropper that downloads more malware from a third-party site.
op.php – MD5 29da9e97d5efe5c9a8680c7066bb2840. A web shell that requires a password to access.
e6b9197ecdc61125a4e502a5af7cecae – MD5 e6b9197ecdc61125a4e502a5af7cecae. A webshell was detected in previous infections.
MD5 4329689c76ccddd1d2f4ee7fef3dab71 4fa00001c720b30102987d980e62d5e4.php. This payload decrypts and loads an additional webshell.
4fa00001c720b30002987d983e62d5.jpg – MD5 c8757b55fc7d456a7a1aa024398471. 4fa00001c720b30102987d980e62d5e4.php loaded the compressed webshell. Cannot run if the loader script is not present.
The following IP addresses are responsible for most attacks on this vulnerability:
With this capacity, an attacker can gain remote code execution on a vulnerable website, allowing complete site takeover, according to the researchers. Wordfence did not disclosed the technical details of the vulnerability because it is currently being exploited.
Wordfence stated that the significant zero-day could be exploited even if the plugin was deactivated, advising users to entirely uninstall Fancy Product Designer until a fixed version is available.
In addition, the company strongly advises all users of this plugin to update to the latest version 4.6.9, as it is possible to exploit the vulnerability even if the plugin is disabled in certain settings.