HomeRisk ManagementsIssues with the Fancy Product Designer Plugin Pose Security Risks for WordPress...

Issues with the Fancy Product Designer Plugin Pose Security Risks for WordPress Sites

Published on

spot_img

Two critical security vulnerabilities have been discovered in the Fancy Product Designer premium plugin, a popular tool used for customizing WooCommerce products on WordPress websites. Despite the plugin’s extensive functionalities and wide user base of over 20,000 sales, it has been flagged for two serious flaws in its latest version, 6.4.3, as reported by Patchstack researchers.

The first vulnerability, an unauthenticated arbitrary file upload flaw (CVE-2024-51919), poses a grave risk as it allows unauthorized users to upload any type of file, including malicious PHP files, which could lead to remote code execution (RCE). The vulnerability is rooted in the save_remote_file and fpd_admin_copy_file functions, which lack adequate input validation measures, enabling unrestricted file uploads.

The second vulnerability identified in the Fancy Product Designer plugin is an unauthenticated SQL injection bug (CVE-2024-51818), which grants malicious actors the ability to execute SQL queries directly on the underlying WordPress database. This vulnerability stems from the get_products_sql_attrs function, which fails to properly sanitize user inputs, relying on the ineffective strip_tags function instead, leaving the plugin susceptible to SQL injection attacks.

Despite attempts by Patchstack researchers to notify the plugin vendor, Radykal, about these vulnerabilities on March 18, 2024, there has been no response or action taken to address the issues. Consequently, the vulnerabilities were publicly disclosed on January 8, 2025, exposing WordPress websites using the Fancy Product Designer plugin to potential exploitation by threat actors.

In response to these security risks, website administrators are strongly advised to deactivate or completely remove the Fancy Product Designer plugin from their WordPress installations until a security patch is released by the vendor. Additionally, security experts recommend implementing certain best practices for developers to mitigate similar vulnerabilities in their plugins:

– Thoroughly validate all file uploads by checking both the filename and extension
– Use whitelisting to allow only specified file types for upload
– Adopt prepared statements for SQL queries to prevent SQL injection attacks
– Properly sanitize and escape all user inputs to prevent code injection vulnerabilities

Furthermore, conducting regular code audits and staying proactive in addressing security concerns can help developers enhance the overall security posture of their WordPress plugins and reduce the risk of exploitable vulnerabilities being present in their codebase.

In conclusion, the identification of critical vulnerabilities in the Fancy Product Designer plugin underscores the importance of prioritizing security in plugin development and usage within the WordPress ecosystem. By following recommended security practices and promptly addressing reported vulnerabilities, developers and website administrators can better safeguard their online platforms against potential cyber threats and data breaches.

Source link

Latest articles

Hacking group exposes information on 15k vulnerable FortiGate firewall devices

A recent development in the ongoing cybersecurity saga involving vulnerable Fortinet FortiGate firewall devices...

Biotech company resolves class action lawsuit stemming from ransomware attack with $7.5 million settlement

Enzo Biochem, a prominent biotech company, recently made headlines after agreeing to settle a...

Aadhaar-based biometric verification required for new SIM cards to combat fraud and cybercrime – StartupNews.fyi

The Indian government has announced a new measure to combat fraudulent activities associated with...

Karl Triebes is appointed as Ivanti’s Chief Product Officer

Salt Lake City, January 13, 2025 - Ivanti, a leading software company dedicated to...

More like this

Hacking group exposes information on 15k vulnerable FortiGate firewall devices

A recent development in the ongoing cybersecurity saga involving vulnerable Fortinet FortiGate firewall devices...

Biotech company resolves class action lawsuit stemming from ransomware attack with $7.5 million settlement

Enzo Biochem, a prominent biotech company, recently made headlines after agreeing to settle a...

Aadhaar-based biometric verification required for new SIM cards to combat fraud and cybercrime – StartupNews.fyi

The Indian government has announced a new measure to combat fraudulent activities associated with...