Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content. According to sales statistics for the wordpress plugin, Fancy Product Designer has been installed on more than 17,000 websites.
It contains a critical 0-day file upload vulnerability that is currently being exploited in the wild to upload malware to websites where the plugin is installed.
The vulnerability was identified by Wordfence’s Threat Intelligence team’s security analyst Charles Sweethill and reported to the vendor on May 31. Although the issue has been identified. A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021.
Description: Unauthenticated Arbitrary File Upload and Remote Code Execution
Affected Plugin: Fancy Product Designer
Plugin Slug: fancy-product-designer
Affected Versions: < 4.6.9
CVE ID: CVE-2021-24370
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Charles Sweethill/Ram Gall
Fully Patched Version: 4.6.9
Wordfence said in a write-up published on Tuesday that “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed”.
Signs of compromise
Under most circumstances, a successful attack creates a set of files that are stored in a subfolder of either wp-admin or wp-content/plugins/fancy-product-designer/inc with the date the file was uploaded. For instance: wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php or wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php
The following filenames and MD5 hashes are associated with this attack:
ass.php – MD5 3783701c82396cc96d842839a291e813. This is the original payload, a dropper that downloads more malware from a third-party site.
op.php – MD5 29da9e97d5efe5c9a8680c7066bb2840. A web shell that requires a password to access.
e6b9197ecdc61125a4e502a5af7cecae – MD5 e6b9197ecdc61125a4e502a5af7cecae. A webshell was detected in previous infections.
MD5 4329689c76ccddd1d2f4ee7fef3dab71 4fa00001c720b30102987d980e62d5e4.php. This payload decrypts and loads an additional webshell.
4fa00001c720b30002987d983e62d5.jpg – MD5 c8757b55fc7d456a7a1aa024398471. 4fa00001c720b30102987d980e62d5e4.php loaded the compressed webshell. Cannot run if the loader script is not present.
The following IP addresses are responsible for most attacks on this vulnerability:
69.12.71.82 92.53.124.123 46.53.253.152
With this capacity, an attacker can gain remote code execution on a vulnerable website, allowing complete site takeover, according to the researchers. Wordfence did not disclosed the technical details of the vulnerability because it is currently being exploited.
Wordfence stated that the significant zero-day could be exploited even if the plugin was deactivated, advising users to entirely uninstall Fancy Product Designer until a fixed version is available.
In addition, the company strongly advises all users of this plugin to update to the latest version 4.6.9, as it is possible to exploit the vulnerability even if the plugin is disabled in certain settings.
How do I update?
In most cases you will need to login to codecanyon.net. Once you are logged in, you should be able to visit the product page at https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393. In the Overview sidebar on the right-hand side of the product page you should see a Download link. Once you have downloaded the patched version of the plugin, you should be able to login to your WordPress site and go to Plugins->Add New->Upload Plugin to upload the patched plugin.
You may like our other Artical: Magic and Amazing Computer Tricks
Leave a Reply