- Patchstack researchers discover two new flaws in Fancy Product Designer
- Radykal-built WordPress plugin has over 20,000 active users
- The flaws allow remote code execution, downloading arbitrary files, and more.
A popular WordPress plugin has been discovered to have two critical vulnerabilities that allow malicious actors to upload files, tamper with databases, and essentially take control of compromised websites.
To make matters worse, the vulnerabilities remained in the code for over six months, although developers were informed and are actively working on new versions in the meantime.
Cybersecurity researchers at Patchstack claimed in late March 2024 to have discovered two vulnerabilities in Fancy Product Designer, a premium website builder plugin developed by Radykal, which allows users to create and customize products, such as t -shirts, mugs or posters, with various tools and design options for e-commerce stores. It has over 20,000 sales.
Silence of sellers
The vulnerabilities are tracked as CVE-2024-51919 (severity score 9.0) and CVE-2024-51818. The first is an unauthenticated arbitrary file upload vulnerability, while the second is an unauthenticated SQL injection vulnerability. Since the former allows remote code execution (RCE), it could lead to the complete takeover of the website in certain scenarios.
Patchstack claims to have notified the vendor of the issues in late March, but never received a response from the company. Meanwhile, Radykal was working on new versions of the plugin and released 20 of them. The latest one was released two months ago (6.4.3) and still has critical security vulnerabilities.
To warn users of the risks and draw attention to the issue, Patchstack added the bugs to its database and published a detailed blog, containing enough technical information to create an exploit and target websites using by Fancy Product Designer.
To prevent this from happening, web administrators should create a whitelist of allowed file extensions, and thus prevent bad actors from downloading what they want. Patchstack added that users should also sanitize user input for a query to defend against SQL injection attacks.
Via BeepComputer
