Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild.

Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites.

Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active.

Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale.

Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed.” reads the post published by the experts. “This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.