2025-01-31 12:37:07 Pacfic
WordPress Plugin Exposes Sites to Attacks - 21d
Critical security vulnerabilities have been discovered in the Fancy Product Designer plugin for WordPress, a popular premium plugin with over 20,000 sales that enables extensive product customization on WooCommerce sites. Patchstack researchers identified two unpatched critical flaws: an unauthenticated arbitrary file upload vulnerability (CVE-2024-51919) and an unauthenticated SQL injection vulnerability (CVE-2024-51818). These vulnerabilities place websites using the plugin at significant risk of unauthorized access and data breaches, as they allow for remote code execution and direct SQL database manipulation by malicious actors.
The file upload flaw is caused by inadequate input validation in the `save_remote_file` and `fpd_admin_copy_file` functions, which allows for uploading of PHP files and thus remote code execution. The SQL injection flaw originates from the `get_products_sql_attrs` function which fails to properly sanitize inputs, rendering the strip_tags function ineffective against such attacks. Website administrators using the Fancy Product Designer plugin are advised to immediately deactivate or remove it until a security patch is released by the vendor, Radykal. They should also monitor official channels for updates and implement WAFs to block exploitation attempts.
ImgSrc: ciso2ciso.com
References:
- CISO2CISO.COM & CYBER SECURITY GROUP - Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com - 21d
- www.bleepingcomputer.com - Unpatched critical flaws impact Fancy Product Designer WordPress plugin - 21d
- ciso2ciso.com - Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com - 21d
- @jos1264 - Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com - 21d
- securityonline.info - Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk - 21d
- Vulnerability Archives ? Cybersecurity News - Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk - 20d
- Latest from TechRadar - Another top WordPress plugin found carrying critical security flaws - 20d
Classification:
- HashTags: WordPress Vulnerability Plugin
- Company: WordPress
- Target: WordPress Sites
- Product: Fancy Product Designer
- Feature: Plugin Vulnerabilities
- Type: Vulnerability
- Severity: Major