Actively Exploited Zero-Day Found in WordPress Plugin Used by Many Online Stores


Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well.

This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The issue, they explain, could be exploited in certain configurations even if the plugin has been deactivated.

Tracked as CVE-2021-24370 and featuring a CVSS score of 9.8, the security bug exists because the plugin has insufficient checks in place and because existing checks can easily be bypassed, thus allowing for the upload of malicious files.