By - Researchers from Patchstack find two new flaws in Fancy Product Designer
- The Radykal-built WordPress plugin has more than 20,000 active users
- The flaws allowed for remote code execution, arbitrary file upload, and more
A popular WordPress plugin was found carrying two critical vulnerabilities that allow threat actors to upload files, tamper with databases, and essentially take over compromised websites.
To make matters worse, the vulnerabilities remained in the code for more than half a year, despite the developers being notified, and actively working on new versions in the meantime.
Cybersecurity researchers from Patchstack claim in late March 2024, they discovered two vulnerabilities in Fancy Product Designer, a premium website builder plugin developed by Radykal, which allows users to create and customize products, such as t-shirts, mugs, or posters, with various design tools and options for e-commerce stores. It has more than 20,000 sales.
Silence of the vendors
The vulnerabilities are tracked as CVE-2024-51919 (severity score 9.0), and CVE-2024-51818. The former is an unauthenticated arbitrary file upload vulnerability, while the latter is an unauthenticated SQL injection flaw. Since the former allows for remote code execution (RCE), it could lead to full website takeover in some scenarios.
Patchstack claims to have notified the vendor of the issues in late March, but never heard back from the company. In the meantime, Radykal was working on new versions of the plugin, and released 20 of them. The latest one was pushed two months ago (6.4.3), and it still carries the critical security flaws.
To warn users of the risks, and to draw attention to the problem, Patchstack added the bugs to its database, and published an in-depth blog, with the technical information found within enough to build an exploit and target websites using Fancy Product Designer.
To prevent that from happening, web admins should create a whitelist of allowed file extensions, and thus stop threat actors from uploading whatever they please. Patchstack added that users should sanitize user input for a query to defend against SQL injection attacks, too.
Via BleepingComputer
