WordPress recently discovered a critical file upload vulnerability that was actively exploited in Fancy Product Designer, a WordPress plugin installed on more than 17,000 websites.
The content management system provider said it discovered the vulnerability on Monday. The Wordfence intelligence team contacted the developer of the plugin on the same day and received a response within 24 hours. Wordfence is a security plugin for websites using WordPress.
Although the Wordfence firewall’s built-in file upload protection prevents most attacks against this vulnerability, the team found that it can be bypassed in certain configurations. WordPress released a new firewall rule to premium customers on Monday, but websites running the free version of Wordfence will receive the rule 30 days later, on June 30.
“Since this is a critical 0-day subject to active attacks, even if the plug-in has been disabled, it can still be exploited in certain configurations. We urge anyone who uses this plug-in to uninstall Fancy Product Designer completely if possible. Until the patch version is available,” WordPress said in a statement.
WordPress said that research has found that the vulnerability may not be targeted on a large scale, but it has been exploited since at least May 16, 2021.
More detailed information is available from WordPress.
Dark Reading’s Quick Hits briefly introduced the importance of breaking news events. For more information about the original source of this news, please click on the link provided in this article.View the complete bio