Cybercriminals have been actively exploiting a zero-day vulnerability in Fancy Product Designer, a WordPress plugin utilized by greater than 17,000 web sites, in keeping with a blog post by Defiant, which makes Wordfence safety plugins for the net publishing platform.

Attackers have been noticed utilizing the zero-day to ship malware to the websites with the plugin put in. There may be proof indicating that the safety loophole, which might be misused for full web site takeover, was exploited as early as January 30^th of this 12 months.

The plugin allows customers to customise any kind of merchandise starting from clothes articles to equipment and home goods by importing their very own pictures or PDF information. It’s utilized by a wide range of platforms, together with WordPress, WooCommerce and Shopify.

“Sadly, whereas the plugin had some checks in place to stop malicious information from being uploaded, these checks had been inadequate and will simply be bypassed, permitting attackers to add executable PHP information to any website with the plugin put in. This successfully made it attainable for any attacker to attain Distant Code Execution on an impacted website, permitting full website takeover,” warned Wordfence QA Engineer Ram Gall.

Based mostly on Defiant’s evaluation, nearly all of the assaults seem to come back from three particular IP addresses. The attackers are focusing on e-commerce web sites with the intention of getting their palms on order info from the seller’s databases. The info that may very well be extracted from these orders might embrace clients’ personally identifiable info. Thich may spell issues for web site operators because it places them vulnerable to violating PCI-DSS (Cost Card Business Information Safety Commonplace) compliance guidelines.

Per the PCI Compliance Guide, penalties for non-compliance may vary from US$5,000 as much as US$100,000 monthly for violations. On that notice, it’s additionally price mentioning that if the web site handles the info of EU residents and their info is uncovered, the companies would run afoul of the European Union’s General Data Protection Regulation (GDPR), which may additionally carry hefty fines.

Based on the report, if an assault is profitable, a number of information will seem in both the wp-admin or wp-content/plugins subfolder, with an preliminary payload delivered that’s then used to retrieve further malware from one other web site.

The Wordfence workforce notified the plugin’s developer concerning the vulnerability on Could 31^st, receiving a response inside 24 hours. A patched model, Fancy Product Designer 4.6.9, was rolled out on June 2^nd. The directors of internet sites operating the plugin are suggested to patch it instantly since in some particular configuration, the vulnerability may very well be exploited even when the plugin itself is deactivated.