Two critical security vulnerabilities have been discovered in the Fancy Product Designer premium plugin, a popular tool used for customizing WooCommerce products on WordPress websites. Despite the plugin’s extensive functionalities and wide user base of over 20,000 sales, it has been flagged for two serious flaws in its latest version, 6.4.3, as reported by Patchstack researchers.
The first vulnerability, an unauthenticated arbitrary file upload flaw (CVE-2024-51919), poses a grave risk as it allows unauthorized users to upload any type of file, including malicious PHP files, which could lead to remote code execution (RCE). The vulnerability is rooted in the save_remote_file and fpd_admin_copy_file functions, which lack adequate input validation measures, enabling unrestricted file uploads.
The second vulnerability identified in the Fancy Product Designer plugin is an unauthenticated SQL injection bug (CVE-2024-51818), which grants malicious actors the ability to execute SQL queries directly on the underlying WordPress database. This vulnerability stems from the get_products_sql_attrs function, which fails to properly sanitize user inputs, relying on the ineffective strip_tags function instead, leaving the plugin susceptible to SQL injection attacks.
Despite attempts by Patchstack researchers to notify the plugin vendor, Radykal, about these vulnerabilities on March 18, 2024, there has been no response or action taken to address the issues. Consequently, the vulnerabilities were publicly disclosed on January 8, 2025, exposing WordPress websites using the Fancy Product Designer plugin to potential exploitation by threat actors.
In response to these security risks, website administrators are strongly advised to deactivate or completely remove the Fancy Product Designer plugin from their WordPress installations until a security patch is released by the vendor. Additionally, security experts recommend implementing certain best practices for developers to mitigate similar vulnerabilities in their plugins:
– Thoroughly validate all file uploads by checking both the filename and extension
– Use whitelisting to allow only specified file types for upload
– Adopt prepared statements for SQL queries to prevent SQL injection attacks
– Properly sanitize and escape all user inputs to prevent code injection vulnerabilities
Furthermore, conducting regular code audits and staying proactive in addressing security concerns can help developers enhance the overall security posture of their WordPress plugins and reduce the risk of exploitable vulnerabilities being present in their codebase.
In conclusion, the identification of critical vulnerabilities in the Fancy Product Designer plugin underscores the importance of prioritizing security in plugin development and usage within the WordPress ecosystem. By following recommended security practices and promptly addressing reported vulnerabilities, developers and website administrators can better safeguard their online platforms against potential cyber threats and data breaches.