INTRODUCTION
The actively increasing attention of malicious actors exploiting extensions and plugins saw the Wordfence Threat Intelligence team uncover Fancy Product Designer – a WordPress plugin – being exploited.
DETAILS
Fancy Product Designer facilitates sellers to engage more customers by allowing them to customize the items they want by uploading images.
The plugin contains a 0-day file upload vulnerability and is installed on over 17,000 sites, providing
attackers immense real estate to exploit the flaw by uploading malware.
“Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” the researchers said.
The researchers shaped their attack to bypass Wordfence Firewall’s file upload protection: a built-in service that protects users against the vulnerability in question. On 31st May, the Wordfence team released a new firewall rule to both their premium and standard customers, the latter receiving the rule after 30 days.
Since they can still be exploited, the Wordfence team only publicly disclosed enough details as to not assist other attackers looking to leverage from the report. The team also contacted the plugin’s developer, sending a full disclosure and receiving a response within 24 hours.
It is found that deactivating the plugin still does not guarantee safety from exploitation, therefore, as a measure of protection, the researchers have urged the users of the plugin to update to the latest
version (v4.6.9).
Previously, vulnerabilities in elements allowed an attacker to add JavaScript code to posts which could
be executed, subsequently facilitating complete website takeover.
Since plugins are installed on hundreds and thousands of sites, the potential for damage once an exploit is discovered can be detrimental. Therefore, it is advised to only install community trusted extensions and plugins.