Cybersecurity Threat Advisory 0036-21: Critical Zero-Day in WordPress Plugin Fancy Product Designer Under Attack

Threat Update

On May 31, 2021, a critical file upload vulnerability in Fancy Product Designer—a WordPress plugin installed on over 17,000 websites—was discovered to be under active exploitation by threat actors.

Technical Detail & Additional Information


Fancy Product Designer is a WordPress plugin that enables customers to upload images and PDF files to be added to products. While the unpatched plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could be easily bypassed, allowing threat actors to upload executable PHP files to any site with the unpatched plugin installed. This capability enables attackers to achieve Remote Code Execution on an impacted site, allowing for full site takeover.


Threat actors appear to be targeting e-commerce sites to extract order information from website databases. As this order information contains personally identifiable information (PII) of customers, any organization running a website with a vulnerable version of the Fancy Product Designer plugin is at risk of violating its PCI-DSS compliance if successfully exploited.


Any website that has the Fancy Product Designer plugin installed and has not updated to the patched version 4.6.9—available as of June 2, 2021—is vulnerable. E-commerce sites have been the most popular targets of this exploitation thus far.


If your website is affected, you should update Fancy Product Designer to the patched version: 4.6.9. This critical zero-day vulnerability is under active attack and is exploitable in some configurations even if the plugin has been deactivated, so we recommend updating it to the latest version available rather than simply deactivating it.

Follow these steps to get the latest version:

  • Login to
  • Once you are logged in, you should be able to visit the product page:
  • In the “Overview” sidebar on the right-hand side of the product page, you should see a “Download” link. Click on it.
  • Once you have downloaded the updated version of the plugin, you should be able to login to your WordPress site and go to Plugins->Add New->Upload Plugin to upload the updated plugin.
  • If you are an e-commerce platform and believe you may have been targeted, you may also want to check for indicators of compromise, which typically appear as PHP files within a subfolder of wp-admin or wp-content/plugins/fancy-product-designer/inc and include the date the file was uploaded within the file name.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.