CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Critical Zero-Day Bugs Found in WordPress Plugin

By Leave a Comment
Zero-Day Flaws Found in Fancy Product Designer WordPress Plugin

Two critical zero-day vulnerabilities have been discovered in the Fancy Product Designer plugin, a popular premium WordPress tool used by over 20,000 websites for product customization. The flaws, an Unauthenticated Arbitrary File Upload and an Unauthenticated SQL Injection remain unpatched in the latest version (6.4.3).

Fancy Product Designer is a premium WordPress plugin that enables users to design and customize products on WooCommerce platforms. Developed by Radykal, the plugin is highly regarded for its versatility and ease of use. Its popularity among e-commerce businesses heightens the risks posed by these vulnerabilities, potentially exposing thousands of websites to exploitation.

The two zero-day exploits are tracked as CVE-2024-51919 and CVE-2024-51818, with CVSS scores of 9.0 and 9.3, respectively.

  • Unauthenticated Arbitrary File Upload (CVE-2024-51919):
    This vulnerability enables attackers to upload malicious files, such as PHP scripts, to the server, potentially leading to Remote Code Execution (RCE). The flaw exists in the save_remote_file and fpd_admin_copy_file functions, which fail to validate and restrict user-controlled inputs.
  • Unauthenticated SQL Injection (CVE-2024-51818):
    This vulnerability allows attackers to manipulate SQL queries by exploiting insufficient sanitization in the get_products_sql_attrs function. The use of strip_tags for input sanitization does not prevent injection attacks, enabling unauthorized database access.

Both vulnerabilities can be exploited without authentication, making them particularly dangerous for affected websites.

The vulnerabilities were first identified by security researcher Rafie Muhammad from Patchstack on March 17, 2024, and the vendor, Radykal, was notified the following day. Despite multiple attempts to contact the developer, no response has been received. As a result, Patchstack disclosed the vulnerabilities to its clients earlier this week and issued a public security advisory earlier today.

Recommendations for users

Given the active zero-day status of these vulnerabilities, users are advised to immediately deactivate or uninstall the plugin until a patch is released.

To mitigate arbitrary file upload risks, website administrators are recommended to use file extension whitelisting to restrict uploads to safe file types and validate and sanitize all user-uploaded content. For SQL injection, it is advised to adopt prepared statements for all SQL queries and sanitize inputs thoroughly, ensuring proper data type validation.

Until the Fancy Product Designer plugin is patched, websites running the vulnerable version are at high risk. Users should monitor updates from Radykal and apply patches as soon as they are made available.

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *