CVE-2021-24370: 
WordPress vulnerability analysis and mitigation

The Fancy Product Designer WordPress plugin before version 4.6.9 contains a critical vulnerability (CVE-2021-24370) that allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. The vulnerability was discovered in early 2021 and was actively exploited in the wild. The plugin, which has over 15,000 installations, is designed to allow users to customize products in WooCommerce stores (WPScan, Wordfence).

The vulnerability exists in the custom-image-handler.php file, which allows unauthenticated users to upload files through a Time of Check, Time of Use (TOCTOU) weakness. The vulnerability can be exploited by sending a POST request to the plugin's custom-image-handler.php file. The file upload mechanism first checks the MIME type but downloads the file a second time for saving, creating a race condition that can be exploited. The vulnerability received a CVSS score of 9.8 (Critical) (Wordfence, SecPod).

Successful exploitation allows attackers to upload malicious PHP files and execute remote code on affected sites, potentially leading to full site takeover. Attackers were observed attempting to extract order information from e-commerce site databases, potentially violating PCI-DSS compliance by exposing customer personal details (SecPod).

The vulnerability was patched in version 4.6.9 of the Fancy Product Designer plugin. Wordfence released firewall rules to protect premium customers immediately, with free customers receiving the update on June 30th (SecPod).