- Patchstack researchers find two new flaws in Fancy Product Designer
- WordPress plugin created by Radykal has over 20,000 active users
- Flaws allowed remote code execution, arbitrary file uploads, and more
A popular WordPress plugin was discovered to have two critical vulnerabilities that allow threat actors to upload files, manipulate databases, and essentially take over compromised websites.
To make matters worse, the vulnerabilities remained in the code for more than half a year, despite the developers being notified and actively working on new versions in the meantime.
Patchstack cybersecurity researchers say that in late March 2024 they discovered two vulnerabilities in Fancy Product Designer, a premium website builder plugin developed by Radykal, which allows users to create and customize products, such as t-shirts, mugs or posters. , with various tools and layout options for eCommerce stores. It has more than 20,000 sales.
The silence of the sellers
The vulnerabilities are tracked as CVE-2024-51919 (severity score 9.0) and CVE-2024-51818. The first is an unauthenticated arbitrary file upload vulnerability, while the second is an unauthenticated SQL injection flaw. Since the former allows remote code execution (RCE), it could lead to a complete takeover of the website in some scenarios.
Patchstack claims to have notified the vendor about the issues in late March, but never heard back from the company. Meanwhile, Radykal was working on new versions of the plugin and released 20 of them. The latest one was released two months ago (6.4.3) and still has critical security flaws.
To warn users about the risks and draw attention to the issue, Patchstack added the bugs to its database and published a detailed blog, with enough technical information to create an exploit and target websites using Fancy Product Designer.
To prevent this from happening, web administrators should create a whitelist of allowed file extensions to prevent threat actors from loading whatever they want. Patchstack added that users should also sanitize user input for a query to defend against SQL injection attacks.
Through beepcomputer
