Critical Zero-Day in WordPress Plugin Under Active Attack
Security researchers have warned that a new critical zero-day vulnerability in a WordPress plugin has been found to be actively exploited in the wild. The plugin, called the Fancy Product Designer, is installed on roughly 17,000 sites, according to Wordfence security experts. The tool allows users to upload images and PDF files to products. Threat analyst Ram Gall stated that he received a response from the plugin’s developer within 24 hours, then delivering the full disclosure.
Since the vulnerability is being actively exploited in the wild, minimal public details have been released as the flaw has not yet been patched. Offering exploitation explanations could benefit malicious actors. Instead, the disclosure aims to alert the community to take precautions to keep their sites and personal information protected. The vulnerability has a CVSS score of 9.8, making it high severity. The vulnerability can lead to remote code execution, allowing for full site takeover. Users should uninstall the tool for the time being to prevent any risks.