Ethical Hacking News
Fancy Product Designer Plugin Vulnerabilities Pose a Significant Threat to WooCommerce Sites
A recent vulnerability in Fancy Product Designer plugin has left it open to two critical severity flaws that remain unfixed. The vulnerabilities, discovered by Patchstack, allow attackers to gain unauthorized access to WooCommerce sites and potentially lead to data breaches and other security incidents.
Fancy Product Designer plugin has critical unpatched security flaws.The first flaw is an unauthenticated arbitrary file upload vulnerability (CVE-2024-51919).The second flaw is an unauthenticated SQL injection vulnerability (CVE-2024-51818).Radykal, the vendor, has not responded to Patchstack's notification despite being aware of the issues.Admins are advised to take immediate action to protect themselves from these vulnerabilities.Preventing arbitrary file uploads and sanitizing user input can help mitigate these risks.Keeping WordPress core, theme, and plugins up-to-date with latest security patches is essential.
The Unpatched Vulnerabilities of Fancy Product Designer: A Threat to WooCommerce Sites
In a recent development that has sent shockwaves through the WordPress community, it has been revealed that the Fancy Product Designer plugin has been left vulnerable to critical security flaws. Developed by Radykal, this popular premium plugin allows users to customize product designs on WooCommerce sites by changing colors, transforming text, or modifying the size.
The vulnerabilities in question were discovered by Patchstack’s Rafie Muhammad, who examined the plugin and found that it was susceptible to two critical severity flaws. The first flaw, CVE-2024-51919, is an unauthenticated arbitrary file upload vulnerability caused by an insecure implementation of file upload functions ‘save_remote_file’ and ‘fpd_admin_copy_file’. This vulnerability allows attackers to exploit a remote URL to upload malicious files, achieving remote code execution (RCE).
The second flaw, CVE-2024-51818, is an unauthenticated SQL injection vulnerability caused by the improper sanitization of user inputs due to the use of the insufficient ‘strip_tags’. This vulnerability directly integrates user-supplied input into database queries without proper validation, potentially leading to database compromise, data retrieval, modification, and deletion.
Despite Patchstack notifying the vendor of the issues a day after discovering them, Radykal never responded. As a result, the two critical security issues remain unpatched in the latest version of the plugin, which has been released 20 times since the discovery. The most recent version, 6.4.3, was released just two months ago.
Patchstack’s writeup provides sufficient technical information for attackers to create exploits and target web stores that use Radykal's Fancy Product Designer plugin. To mitigate these vulnerabilities, admins are recommended to prevent arbitrary file uploads by creating an allowed list with safe file extensions. Additionally, protecting against SQL injection requires sanitizing user input for queries by doing a safe escape and format.
BleepingComputer has contacted Radycal to ask if they plan on releasing a security update soon, but a comment wasn’t immediately available.
The implications of this vulnerability are severe, as it could allow attackers to gain unauthorized access to WooCommerce sites, potentially leading to data breaches, financial losses, and reputational damage. Therefore, it is essential for users who rely on Fancy Product Designer plugin to take immediate action to protect themselves from these vulnerabilities.
One way to do this is by using a web application firewall (WAF) to block malicious traffic. Another approach is to monitor the plugin's logs regularly for suspicious activity. Admins can also take steps to ensure that user input is properly sanitized and validated, reducing the risk of SQL injection attacks.
Furthermore, users should keep their WordPress core, theme, and plugins up to date with the latest security patches. Additionally, using strong passwords, enabling two-factor authentication, and limiting login attempts can help prevent unauthorized access to WooCommerce sites.
In conclusion, the unpatched vulnerabilities in Fancy Product Designer plugin pose a significant threat to WooCommerce sites. It is essential for users to take immediate action to protect themselves from these vulnerabilities. By understanding the risks and taking proactive measures, admins can reduce the likelihood of data breaches and other security incidents.
Related Information:
Published: Wed Jan 8 17:39:33 2025 by llama3.2 3B Q4_K_M
