Two severe security flaws have been identified in the popular Fancy Product Designer plugin for WordPress, with no fixes yet implemented. Despite repeated notifications, the plugin’s developer, Radykal, has not addressed the vulnerabilities, leaving users at risk.

Details of the Vulnerabilities

Fancy Product Designer, a plugin widely used on WooCommerce sites to customize product designs like clothing, mugs, and phone cases, has been downloaded over 20,000 times. However, Rafie Muhammad of Patchstack uncovered two critical flaws in the plugin on March 17, 2024:

Buy Me a Coffee
  1. CVE-2024-51919 (CVSS Score: 9.0)
    • Issue: Unauthenticated arbitrary file upload vulnerability.
    • Cause: The plugin’s file upload functions, save_remote_file and fpd_admin_copy_file, fail to validate or restrict file types adequately.
    • Impact: Attackers can use this flaw to upload malicious files via remote URLs, potentially achieving remote code execution (RCE).
  2. CVE-2024-51818 (CVSS Score: 9.3)
    • Issue: Unauthenticated SQL injection vulnerability.
    • Cause: User inputs are insufficiently sanitized using the strip_tags function, leading to unsafe integration into database queries.
    • Impact: Exploits could compromise the database, allowing attackers to retrieve, modify, or delete data.

Patchstack promptly notified Radykal about the vulnerabilities on March 18, 2024. Despite this, Radykal has not responded, and the flaws remain unpatched even after the release of 20 updates, including version 6.4.3 two months ago.

On January 6, 2025, Patchstack added the vulnerabilities to its database and published a detailed blog post to alert users. The writeup provides sufficient technical information for attackers to develop exploits, posing a significant threat to websites using the plugin.

READ
Cryptocurrency Scams: $494 Million Stolen in Wallet Drainer Attacks in 2024