Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware. The plugin is a visual product configurator plugin for WordPress, WooCommerce, and Shopify. The security flaw is a critical severity remote code execution (RCE) vulnerability discovered by Wordfence security analyst Charles Sweethill on Monday. The vulnerability is under active exploitation and was rated as critical severity, and customers are advised to immediately install the patched version released on June 2.
Source: https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-zero-day-under-active-exploitation/