CVE-2021-24370 – The Fancy Product Designer WordPress plugin bef... (How to Fix)

Q: What is the severity of CVE-2021-24370?

CVE-2021-24370 has a CVSS score of 9.8 (CRITICAL). The Fancy Product Designer WordPress plugin before version 4.6.9 contains an unauthenticated arbitrary file upload vulnerability. This allows attackers to upload malicious files, including PHP shells, leading to remote code execution on affected WordPress sites. Any WordPress installation using vulnerable versions of this plugin is affected.

📋 TL;DR

The Fancy Product Designer WordPress plugin before version 4.6.9 contains an unauthenticated arbitrary file upload vulnerability. This allows attackers to upload malicious files, including PHP shells, leading to remote code execution on affected WordPress sites. Any WordPress installation using vulnerable versions of this plugin is affected.

💻 Affected Systems

Products:

Fancy Product Designer WordPress Plugin

Versions: All versions before 4.6.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and activated. No special configuration needed for exploitation.

📦 What is this software?

Fancy Product Designer by Radykal

View all CVEs affecting Fancy Product Designer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise: attacker gains full control of the WordPress site, can execute arbitrary commands, steal data, install backdoors, and pivot to other systems.

🟠

Likely Case

Website defacement, data theft, malware distribution, or cryptomining installation through uploaded web shells.

🟢

If Mitigated

Attack blocked at web application firewall level or detected before exploitation completes.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised if accessed by malicious insiders or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Active exploitation was observed in the wild. Exploit scripts are publicly available and easy to use.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.9

Vendor Advisory: https://wordpress.org/plugins/fancy-product-designer/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Fancy Product Designer. 4. Click 'Update Now' if available. 5. If not, download version 4.6.9+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patching is possible.

wp plugin deactivate fancy-product-designer

Web Application Firewall Rule

all

Block requests to the vulnerable upload endpoint.

Block POST requests to /wp-content/plugins/fancy-product-designer/

🧯 If You Can't Patch

Remove the plugin entirely if not needed
Implement strict file upload restrictions at server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Fancy Product Designer version. If version < 4.6.9, vulnerable.

Check Version:

wp plugin get fancy-product-designer --field=version

Verify Fix Applied:

Confirm plugin version is 4.6.9 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-content/plugins/fancy-product-designer/ with file upload parameters
Unexpected .php files in upload directories
Web shell activity patterns

Network Indicators:

Unusual outbound connections from WordPress server
File uploads to plugin endpoint from unexpected sources

SIEM Query:

source="web_logs" AND uri_path="/wp-content/plugins/fancy-product-designer/" AND http_method="POST" AND status_code=200

📊 Metadata

CVE ID: CVE-2021-24370

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 21, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.openwall.net/full-disclosure/2020/11/17/2 Exploit,Mailing List,Third Party Advisory
https://seclists.org/fulldisclosure/2020/Nov/30 Exploit,Mailing List,Third Party Advisory
https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38 Exploit,Third Party Advisory
https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/ Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/ Exploit,Third Party Advisory
https://lists.openwall.net/full-disclosure/2020/11/17/2 Exploit,Mailing List,Third Party Advisory
https://seclists.org/fulldisclosure/2020/Nov/30 Exploit,Mailing List,Third Party Advisory
https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38 Exploit,Third Party Advisory
https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/ Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24370, you might also want to check these: