A critical vulnerability in a WordPress plugin under active attack, risking over 17,000 websites

A zero-day vulnerability allows attackers to upload malicious files on e-commerce websites, eventually taking over their databases for customer information.

A new vulnerability has been found in a WordPress plugin that affects over 17,000 websites. The vulnerability is actively being exploited to collect customer information from these e-commerce sites. The security lapse was discovered by the Wordfence Threat Intelligence team on May 31. As per a report by the cybersecurity firm, a critical file upload vulnerability was found by security analyst Charles Sweethill in a WordPress plugin named Fancy Product Designer. The plugin is used by ecommerce website owners to upload images and PDF files for products on their online store. The report mentions that the vulnerability has been exploited actively since January 30, 2021. However, the attacks have been limited and from specific IP addresses.