Critical WordPress Plugin Used by 20,000+ Sites Left Exposed to Remote Attacks

Critical WordPress Plugin Used by 20,000+ Sites Left Exposed to Remote Attacks

Critical Security Flaws Discovered in Popular WordPress Plugin

Two severe security vulnerabilities have been identified in Radykal’s Fancy Product Designer, a premium WordPress plugin with over 20,000 installations. The plugin, which enables product customization in WooCommerce stores, remains unpatched despite recent discoveries.

Security Vulnerabilities:

1. Arbitrary File Upload (CVE-2024-51919)
– Severity: Critical (CVSS 9.0)
– Allows unauthorized file uploads due to inadequate file validation
– Potential for remote code execution through malicious file uploads
– Affects ‘save_remote_file’ and ‘fpd_admin_copy_file’ functions

2. SQL Injection (CVE-2024-51818)
– Severity: Critical (CVSS 9.3)
– Enables unauthorized database access
– Caused by insufficient input sanitization
– Risks include data theft, modification, and deletion

Current Status:
– Vulnerabilities discovered March 17, 2024, by Patchstack’s Rafie Muhammad
– Vendor notified but remains unresponsive
– Latest version (6.4.3) still contains both vulnerabilities
– 20 new versions released without security patches

Recommended Security Measures:
– Implement allowlist for safe file extensions
– Properly sanitize and escape user input for database queries
– Monitor for suspicious activities
– Consider alternative solutions until patches are available

The plugin remains vulnerable despite multiple version releases, posing significant risks to e-commerce websites utilizing this customization tool.

Share This Article