- Patchstack researchers discover two new flaws in Fancy Product Designer
- The WordPress plugin built by Radykal has over 20,000 active users
- The flaws allowed remote code execution, arbitrary file uploads, and more
A popular WordPress plugin has been found to contain two critical vulnerabilities that allow threat actors to upload files, tamper with databases, and essentially take over compromised websites.
To make matters worse, the vulnerabilities remained in the code for more than six months, despite the developers being informed of them and actively working on new versions in the meantime.
Cybersecurity researchers at Patchstack claim to have discovered two vulnerabilities in late March 2024 in Fancy Product Designer, a premium website builder plugin developed by Radykal that allows users to create and customize products such as t-shirts, mugs or posters customize with different design tools and options for e-commerce stores. It has over 20,000 sales.
Silence from the sellers
The vulnerabilities are tracked as CVE-2024-51919 (severity score 9.0) and CVE-2024-51818. The former is an unverified arbitrary file upload vulnerability, while the latter is an unverified SQL injection flaw. Because the first allows remote code execution (RCE), this can lead to full website takeover in some scenarios.
Patchstack claims to have notified the vendor of the issues in late March, but never heard back from the company. In the meantime, Radykal worked on new versions of the plugin and released twenty of them. The last one was pushed two months ago (6.4.3) and still contains the critical security flaws.
To warn users about the risks and draw attention to the problem, Patchstack added the bugs to its database and published an in-depth blog, with enough technical information to build an exploit and target websites using Fancy Product Designer.
To prevent this from happening, web administrators should create a whitelist of allowed file extensions, thus preventing threat actors from uploading whatever they want. Patchstack added that users should also clean up user input for a query to defend against SQL injection attacks.
Via BleepingComputer