Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Critical WordPress Plugin Zero-day Under Active Exploitation

Critical WordPress Plugin Zero-day Under Active Exploitation

Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.

Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.

According to sales statistics for the plugin, Fancy Product Designer has been sold and installed on more than 17,000 websites.

Zero-day also impacts WooCommerce sites

Zero-days are publicly disclosed vulnerabilities vendors haven’t patched, which, in some cases, are also actively exploited in the wild or have publicly available proof-of-concept exploits.

The security flaw is a critical severity remote code execution (RCE) vulnerability discovered by Wordfence security analyst Charles Sweethill on Monday.

“The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable,” threat analyst Ram Gall told BleepingComputer.

When it comes to the plugin’s Shopify version, attacks would likely be blocked, given that Shopify uses stricter access controls for sites hosted and running on its platform.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

Vulnerable sites exposed to complete takeover

Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.

This allows the threat actors to completely take over vulnerable sites following remote code execution attacks.

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” Gall said.

While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than two weeks ago, on May 16, 2021.

Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to uninstall the plugin until a patched release is available.

Indicators of compromise, including IP addresses used to launch these ongoing attacks, are available at the end of WordFence’s report.

Also Read: 3 Reasons Why You Must Take a PDPA Singapore Course

The Fancy Product Designer development team did not reply to BleepingComputer’s request for comment before the article was published.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us