Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
Documentation
News
Impreza AI
Our Platform
Carbon Removal
Tutorials
Video TutorialsImpreza Community
More
UptimeNetwork StatusWHOISAffiliatesJobsAbout us
Contact
Submit TicketSend an EmailTelegramReport Abuse
Take a look!
HOMEDOMAINS
CONTACT
Impreza Community Introduction
Questions? Our AI can help you out!
Impreza AI
AI Support Assistant
Online — 24/7
1
Login
Sign InCreate an Account
No Comments

The Fancy Product Designer plugin for WordPress has unpatched Critical Flaws

 

Radykal’s premium WordPress plugin, Fancy Product Designer, contains two critical vulnerabilities that remain unfixed in its current latest version.

With more than 20,000 sales, the plugin empowers users to customize product designs—such as clothing, mugs, and phone cases—on WooCommerce sites by changing colors, transforming text, or modifying the size.

While reviewing the plugin, Rafie Muhammad from Patchstack discovered two critical flaws on March 17, 2024:

  • CVE-2024-51919 (CVSS score: 9.0): An insecure implementation of the file upload functions ‘save_remote_file’ and ‘fpd_admin_copy_file’ causes an unauthenticated arbitrary file upload vulnerability. These functions fail to validate or restrict file types, enabling attackers to upload malicious files via a remote URL and achieve remote code execution (RCE).
  • CVE-2024-51818 (CVSS score: 9.3): Improper sanitization of user inputs due to the insufficient ‘strip_tags’ function leads to an unauthenticated SQL injection flaw. User-supplied input is directly included in database queries without proper validation, which can allow attackers to compromise databases, retrieve sensitive data, or modify and delete records.

Although Patchstack informed Radykal of these issues a day after discovering them, the vendor did not respond.

On January 6, Patchstack added the flaws to its database and published a blog post to alert users and raise awareness of the risks.

Despite releasing 20 updates, including version 6.4.3 two months ago, Radykal has not addressed these critical security issues, according to Muhammad.

Patchstack’s detailed writeup provides enough technical information for attackers to craft exploits and start targeting web stores that rely on the Fancy Product Designer plugin.

As a precaution, admins should prevent arbitrary file uploads by creating an allowed list of safe file extensions. Additionally, Patchstack advises sanitizing user inputs for database queries by using safe escaping and formatting techniques to guard against SQL injection.

The company has not provided a comment until the moment of this post.

 

Source: BleepingComputer,

You might also like
News
News

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.