CyberSecurity news

FlagThis - #Plugin

@ciso2ciso.com - 50d

WordPress Plugin Exposes Sites to Attacks

Critical security vulnerabilities have been discovered in the Fancy Product Designer plugin for WordPress, a popular premium plugin with over 20,000 sales that enables extensive product customization on WooCommerce sites. Patchstack researchers identified two unpatched critical flaws: an unauthenticated arbitrary file upload vulnerability (CVE-2024-51919) and an unauthenticated SQL injection vulnerability (CVE-2024-51818). These vulnerabilities place websites using the plugin at significant risk of unauthorized access and data breaches, as they allow for remote code execution and direct SQL database manipulation by malicious actors.

The file upload flaw is caused by inadequate input validation in the `save_remote_file` and `fpd_admin_copy_file` functions, which allows for uploading of PHP files and thus remote code execution. The SQL injection flaw originates from the `get_products_sql_attrs` function which fails to properly sanitize inputs, rendering the strip_tags function ineffective against such attacks. Website administrators using the Fancy Product Designer plugin are advised to immediately deactivate or remove it until a security patch is released by the vendor, Radykal. They should also monitor official channels for updates and implement WAFs to block exploitation attempts.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com
  • www.bleepingcomputer.com: Unpatched critical flaws impact Fancy Product Designer WordPress plugin
  • ciso2ciso.com: Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com
  • : Fancy Product Designer Plugin Flaws Expose WordPress Sites – Source: www.infosecurity-magazine.com
  • securityonline.info: Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk
  • securityonline.info: Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk
  • Latest from TechRadar: Another top WordPress plugin found carrying critical security flaws
Classification:
  • HashTags: #WordPress #Vulnerability #Plugin
  • Company: WordPress
  • Target: WordPress Sites
  • Product: Fancy Product Designer
  • Feature: Plugin Vulnerabilities
  • Type: Vulnerability
  • Severity: Major

Blogs

Research Tools