Fancy Product Designer WordPress plugin has critical flaws, but no patches

Radykal's Fancy Product Designer, a premium WordPress plugin for WooCommerce with over 20,000 sales, is currently affected by two unpatched critical vulnerabilities. The plugin, which enables product customization features for items like clothing, mugs, and phone cases, was found to contain these security flaws by Patchstack researcher Rafie Muhammad on March 17, 2024.

Vulnerability summary:

• CVE-2024-51919 (CVSS score 9.0): An unauthenticated arbitrary file upload vulnerability that enables remote code execution (RCE). The flaw exists in the 'save_remote_file' and 'fpd_admin_copy_file' functions due to improper file type validation, allowing attackers to upload malicious files through remote URL submission.
• CVE-2024-51818 (CVSS score 9.3): An unauthenticated SQL injection vulnerability caused by insufficient input sanitization using 'strip_tags'. The flaw allows direct integration of user input into database queries without proper validation, potentially enabling attackers to compromise databases, retrieve sensitive data, modify content, or delete information.

Despite Patchstack's notification to Radykal on March 18, 2024, the vendor has not responded to the disclosure. The plugin has received 20 new version updates since then, with version 6.4.3 being the latest release from about two months ago, yet none of these updates address these critical security issues.

The number of currently vulnerable websites is not disclosed, though the plugin's sales figure is over 20,000.

As temporary mitigation measures, administrators are advised to implement an allowlist for file uploads that only permits safe file extensions. Alterantively, they can disable the plugin.