Critical Zero-day Vulnerability in Fancy Product Designer Plugin

The Wordfence Threat Intelligence team has reported an active attack against the Fancy Product Designer plugin. The zero-day vulnerability in the Fancy Product Designer plugin allows attackers to upload malware by scanning for sites with the plugin installed.

This WordPress plugin allows users to upload images and PDF documents to add to their products. It is unfortunate that the plugin was not adequately checking for malicious files before being uploaded, so an attacker could upload PHP executable files to any website using the plugin. An attacker could take over the affected site via Remote Code Execution because of this flaw.



More than 17,000 websites have been installed the plugin, according to sales statistics.

Read more:

Occasionally, zero-day exploits are also actively used in the wild. For example, threat actors can deploy executable PHP files on a site with the Fancy Product Designer plugin after exploiting the bug to bypass the plugin’s built-in checks. And, The Critical 0-day is being actively exploited and can be exploited even while the plugin is deactivated.

The vulnerability is not widely exploited. However, there has been an increase in activity targeting the Fancy Product Designer plugin since May 16, 2021. Therefore, Wordfence recommends anyone using this plugin uninstall it completely until the plugin is patched.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.