A critical zero-day vulnerability has been discovered in a WordPress plugin called Fancy Product Designer. A Wordfence Threat Intelligence team from WordPress security company Defiant alerted about this vulnerability. The vulnerability is under active attack, which is tracked as CVE-2021-24370. Successful exploitation of the vulnerability allows remote attackers to bypass the firewall’s built-in file upload protection, which blocks malicious file upload. As a result, attackers can deploy PHP files and execute them.

Fancy Product Designer is a premium plugin for WordPress, WooCommerce, and Shopify. It allows customers to design and customize their products of any kind. It also enables customers to upload images and pdf files of the products to their website.  Fancy Product Designer plugin is installed on more than 17000 websites.

Vulnerability Details ( CVE-2021-24370)

A critical (CVSS Score: 9.8) unauthenticated arbitrary file upload and remote code execution vulnerability is found in the Fancy Product Designer plugin for WordPress and WooCommerce. Though Wordfence firewall has built-in file upload protection that blocks malicious file upload, it was possible to bypass the protection mechanism in some configurations. Also, it is possible to exploit the flaw even when the plugin has been deactivated.

Successful exploitation of the vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and aid in full site takeover. According to the Wordfence security team’s analysis, attackers are trying to fetch order information from e-commerce site’s databases. Since this information usually contains customer’s personal details, an e-commerce site using a vulnerable version of the plugin ends up violating PCI-DSS compliance.

The following are the Indicators of Compromise:

Usually, successful exploitation allows the attackers to place a file in subfolders of wp-admin
or wp-content/plugins/fancy-product-designer/inc

For Ex:


Followings are the list files used in this attack and their MD5 hash as per Wordfence:
ass.php 3783701c82396cc96d842839a291e813 This is the initial payload, a dropper that then retrieves additional malware from a 3rd party site.
op.php 29da9e97d5efe5c9a8680c7066bb2840 A password-protected Webshell.
prosettings.php e6b9197ecdc61125a4e502a5af7cecae A Webshell found in older infections.
4fa00001c720b30102987d980e62d5e4.php 4329689c76ccddd1d2f4ee7fef3dab71 This payload decodes and loads a separate Webshell.
4fa00001c720b30002987d983e62d5e1.jpg c8757b55fc7d456a7a1a1aa024398471 The compressed web shell loaded by 4fa00001c720b30102987d980e62d5e4.php. Cannot be executed without the loader script.


The vulnerability allows remote attackers to upload malicious PHP files, execute remote code on the site with the plugin installed, and full site takeover.

Affected Applications

Fancy Product Designer plugin before version 4.6.9


To address this vulnerability, the plugin developer has release version 4.6.9 for the Fancy Product Designer plugin. Also, Wordfence has released new firewall rules to its premium customer to protect from this vulnerability, and free customers will get this update on June 30th.

Use Quad M Tech's Cyber Saner EDR to query the machines for IOCs and identify if a machine has been compromised.