In a recent discovery, two critical vulnerabilities have been found in the popular WordPress plugin Fancy Product Designer, created by Radykal. These vulnerabilities, present in the latest version of the plugin, have the potential to impact more than 20,000 users who utilize the plugin to customize products on their Woocommerce sites.
Researchers at Patchstack revealed the details of the vulnerabilities on March 17, 2024. The first vulnerability, identified as CVE-2024-51919 with a CVSS score of 9.0, allows for arbitrary file loading without authentication. This flaw in the file download functions can enable attackers to download malicious files from remote URLs, potentially leading to remote code execution.
The second vulnerability, known as CVE-2024-51818 with a CVSS score of 9.3, involves a SQL injection vulnerability without authentication. Due to improper cleaning of user data, attackers can inject malicious queries into the database, risking data compromise, theft, or deletion.
Despite Patchstack notifying Radykal about these vulnerabilities on March 18, 2024, the company did not respond. It wasn’t until January 2025 that the vulnerabilities were added to the Patchstack database, with a detailed report published on January 6, 2025, warning users about the risks they face.
Even with multiple updates released, including the recent version 6.4.3 from two months ago, the critical vulnerabilities in Fancy Product Designer remain unresolved. Patchstack recommends administrators to enhance security measures by prohibiting arbitrary file downloads and implementing a list of permitted file extensions, as well as safeguarding databases from SQL injections by properly cleansing and formatting user input using secure methods.