Two severe security vulnerabilities have been identified in Radykal’s Fancy Product Designer, a premium WordPress plugin with over 20,000 installations. The plugin, which enables product customization in WooCommerce stores, remains unpatched despite recent discoveries.
Security Vulnerabilities:
1. Arbitrary File Upload (CVE-2024-51919)
– Severity: Critical (CVSS 9.0)
– Allows unauthorized file uploads due to inadequate file validation
– Potential for remote code execution through malicious file uploads
– Affects ‘save_remote_file’ and ‘fpd_admin_copy_file’ functions
2. SQL Injection (CVE-2024-51818)
– Severity: Critical (CVSS 9.3)
– Enables unauthorized database access
– Caused by insufficient input sanitization
– Risks include data theft, modification, and deletion
Current Status:
– Vulnerabilities discovered March 17, 2024, by Patchstack’s Rafie Muhammad
– Vendor notified but remains unresponsive
– Latest version (6.4.3) still contains both vulnerabilities
– 20 new versions released without security patches
Recommended Security Measures:
– Implement allowlist for safe file extensions
– Properly sanitize and escape user input for database queries
– Monitor for suspicious activities
– Consider alternative solutions until patches are available
The plugin remains vulnerable despite multiple version releases, posing significant risks to e-commerce websites utilizing this customization tool.