In a recent security advisory, Rafie Muhammad, a security researcher at Patchstack, has uncovered critical vulnerabilities in the Fancy Product Designer plugin, a popular premium plugin designed for product customization in WooCommerce. Developed by Radykal, this plugin has over 20,000 sales and is known for enabling users to design and personalize products with extensive freedom. However, the discovery of severe security flaws has placed thousands of WordPress websites at risk.
The Fancy Product Designer plugin is affected by two significant vulnerabilities:
- Unauthenticated Arbitrary File Upload (CVE-2024-51919): This vulnerability, rated with a CVSS score of 9.0, allows unauthenticated users to upload arbitrary files, including malicious PHP files, to the server. The flaw resides in the save_remote_file and fpd_admin_copy_file functions. Due to inadequate input validation, attackers can exploit these functions to achieve Remote Code Execution (RCE). As Rafie Muhammad explains, “Since there is no proper check on those two functions, if there are any codes that utilize those functions without additional file checks, then we can achieve arbitrary file upload.”
- Unauthenticated SQL Injection (CVE-2024-51818): Rated with a CVSS score of 9.3, this vulnerability allows unauthenticated users to execute arbitrary SQL queries on the database. The root cause lies in the get_products_sql_attrs function, which fails to properly sanitize user input. Muhammad highlights, “The strip_tags function itself is not enough to prevent SQL Injection in this case, since the function literally only strips HTML, XML, and PHP tags.” This issue can lead to significant data breaches or unauthorized database modifications.
At the time of the report, these vulnerabilities remain unpatched in the latest plugin version, 6.4.3. Website administrators using the Fancy Product Designer plugin are strongly advised to:
- Disable the plugin immediately.
- Monitor the vendor’s website and official channels for updates regarding patches.
- Employ web application firewalls (WAFs) to detect and block exploitation attempts.
