A recently discovered critical file upload vulnerability is being actively exploited in Fancy Product Designer, a WordPress plug-in installed on more than 17,000 websites.
Researchers from Wordfence, which develops security solutions to protect WordPress, says it found the vulnerability on Monday. The Wordfence Intelligence Team contacted the plug-in's developer the same day and received a response within 24 hours.
While the Wordfence firewall's built-in file upload protection blocks most attacks targeting this vulnerability, the team found a bypass is possible in some configurations. Wordfence released a new firewall rule to premium customers on Monday, though websites running the free version of Wordfence will receive the rule after 30 days, on June 30.
"As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available," Wordfence says in a statement.
Wordfence says research finds the vulnerability is likely not being targeted on a large scale but has been exploited since at least May 16, 2021.
More details are available here.