The Wordfence Threat Intelligence team has discovered a critical 0-day WordPress plugins vulnerability (CVE-2021-24370) on May 31, 2021. This file upload vulnerability is being manipulated in the Fancy Product Designer, a WordPress plugin installed on over 17,000 websites. They discovered the vulnerability and reported the problem to the plugin’s developers on May 31. Although they have acknowledged the flaw and released a patched version 4.6.9 on June 2nd. In this post, we are going to tell about how to Fix a Critical authentication bypass 0-day WordPress Plugins Vulnerability (CVE-2021-24370) found in Fancy Product Designer.
The team contacted the developers the same day and got a response within a day. They sent over the complete disclosure and received a response on June 1, 2021. Because of the vulnerability being attacked actively, the team is disclosing it with minimal details until users update the patched version. It alerts the community for taking precautions to keep the websites protected.
As it’s a critical 0-day WordPress plugins vulnerability (CVE-2021-24370) under attack, it’s important to have a brief introduction about WordPress and its plugins.
What Is WordPress? What Is WordPress Plugin?
WordPress is a free and open-source website creation platform. It’s a content management system (CMS) developed in PHP and uses an MYSQL database. WordPress is the most powerful and easiest website builder tool in existence today.
A WordPress plugin is a bit of code that plugs into the self-hosted WordPress websites. It’s something that can add new functionality to your website or enhance the existing functionality on your website. Using plugins, you can make everything from small tweaks to large changes to your website. For example, a plugin can turn your simple website into an e-commerce store, forum, or social network.
What Is a Zero-Day Vulnerability?
A zero-day vulnerability is a flaw in a device or system that has been discovered but not patched yet. And an exploit that attacks a zero-day flaw is known as a zero-day exploit. These vulnerabilities were discovered before software developers, and security researchers got to know about them. Before issuing a patch, a zero-day vulnerability can pose a potential risk to users. Zero-day refers to the fact that software developers have zero days to resolve the issue that has been exposed and already exploited by the attackers.
Introducing Fancy Product Designer
Fancy Product Designer is a WordPress plugin that lets organizations provide customizable products to customers, allowing them to design items ranging from T-shirts to phone cases. It gives you the ability to upload PDF files and images that can be added to products. But unfortunately, the plugin has some checks in place for preventing malicious files from being uploaded. These checks were inadequate and could be bypassed easily. It allows hackers to upload the executable PHP files to any website with the plugin installed. Hackers can effectively gain Remote Code Execution on an affected site and allow complete website takeover.
How Are Attackers Abusing This 0-day WordPress Plugins Vulnerability (CVE-2021-24370)?
The hackers were exploiting the 0-day WordPress plugin vulnerability (CVE-2021-24370) to bypass authentication and allow unauthenticated users to log in to an account by entering the related username. It also allows users to create accounts using arbitrary roles, such as admin. These problems can occur even if the login widget is not active and the registration is disabled.
WPScan, a web-hosting company, first reported the bug as a 0-day WordPress plugin vulnerability under active attack by hackers. As cybercriminals using the exploit in the wild, Wordfence noticed that IoC pointed to hackers creating privileged user accounts and using them to compromise the website.
Researchers said that “We believe that hackers are adding accounts with usernames as registered email addresses depending on how the vulnerability creates accounts, and in some instances, installing a malicious plugin named ‘wpstaff‘ “.
It means any website running this plugin is at risk, according to Wordfence posting.
Targets of This 0-day WordPress Plugins Vulnerability (CVE-2021-24370)
Fancy Product Designer, a famous WordPress plugin, is affected by the 0-day vulnerability. Additionally, researchers found vulnerabilities in WP Super Cache and Elementor that, if exploited successfully, attackers can take over a website and run arbitrary code on it. As of now the flaw has not been seen exploiting in the wild.
Summary of This 0-day WordPress Plugins Vulnerability (CVE-2021-24370)
Description: Unauthenticated Arbitrary File Upload and Remote Code ExecutionAffected Plugin: Fancy Product DesignerPlugin Slug:fancy-product-designerAffected Versions: < 4.6.9CVE ID: CVE-2021-24370CVSS Score: 9.8 (Critical)CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Charles Sweethill/Ram Gall
How to Fix a Critical 0-Day WordPress Plugins Vulnerability (CVE-2021-24370)?
The over all process is very simple and very straight. Here you see the complete process how to Fix Fancy Product Designer vulnerability CVE-2021-24370.
Time needed: 5 minutes.
How to Fix Fancy Product Designer vulnerability CVE-2021-24370
- login to codecanyon.net.
- visit the product page at https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393
- Download the plugin file from the right-hand side of the product page.
- After your download the patched version of the plugin Fancy Product Designer v4.6.9.
- Login to your WordPress site.
- Go to Plugins->Add New->Upload Plugin to upload the patched plugin.
- Activate the plugin if not activated.
Indicator of Compromise Recorded During The Analysis of 0-day WordPress Plugins Vulnerability (CVE-2021-24370)
In most instances, a successful attack results in a file with a PHP extension and a unique ID that will appear in the subfolder of
with the date when the file was uploaded. For example,
Most of the attacks against 0-day vulnerability come from these IP addresses
The filenames associated with this vulnerability:
ass.php – MD5 3783701c82396cc96d842839a291e813. This is the initial payload. It downloads additional malware from another 3rd party site.
op.php – MD5 29da9e97d5efe5c9a8680c7066bb2840. A password-protected Web shell.
prosettings.php – MD5 e6b9197ecdc61125a4e502a5af7cecae. A Webshell found in older infections.
4fa00001c720b30102987d980e62d5e4.php – MD5 4329689c76ccddd1d2f4ee7fef3dab71. This payload decodes and loads a separate Web shell.
4fa00001c720b30002987d983e62d5e1.jpg – MD5 c8757b55fc7d456a7a1a1aa024398471. The compressed webshell loaded by 4fa00001c720b30102987d980e62d5e4.php. Cannot be executed without the loader script.
Countermeasures Suggested by WordPress
Zero-day vulnerabilities are critical. Here are some methods you can use to protect against them.
#1. Statistical Techniques
Statistical techniques define how a usual activity looks on a network. It will alert if behavior or traffic deviated from the general profile. For example, if a user on a secure network receives a message from an unknown source with a file attachment, the statistical algorithm flags the message for further inspection.
#2. Behavior-Based Defense
You can implement this technique using various behaviors. But the common way to implement it is using a ‘honeypot’. It’s a machine that is less secure and used to detect attackers when they attack a machine with weak security. In such a situation, a honeypot is monitored for unusual changes.
#3. Signature-Based Defense
This technique leverage pattern matching to recognize the patterns in known vulnerabilities. However, this technique is not perfect for identifying specific code in the 0-day vulnerability, but it can identify specific attacks like SQL injection or XSS.
#4. Hybrid Techniques
These techniques use a combination of behavior, statistical and traditional signature-based algorithms. Hybrid techniques are more efficient as they avoid weaknesses in a single detection technique.
Thanks for reading this post. Please share this post to those who is working on WordPress site and make them aware about this critical vulnerability.