Vulnerabilities in Fancy Product Designer WordPress Plugin (CVE-2024-51919, CVE-2024-51818)

Bar Refael

January 9, 2025

The premium WordPress plugin Fancy Product Designer, widely used for product customization on WooCommerce websites, suffers from two critical security vulnerabilities. These flaws, tracked as CVE-2024-51919 and CVE-2024-51818, remain unpatched in the latest version, 6.4.3, and expose websites to severe risks including remote code execution (RCE) and SQL injection (SQLi).

With over 20,000 sales and broad usage across WooCommerce platforms, the lack of response from the developer, Radykal, significantly heightens the risk of exploitation, especially as technical details and potential exploits have been publicly disclosed.

Vulnerabilities Identified

  1. CVE-2024-51919: Unauthenticated Arbitrary File Upload
    • Description:
      The plugin’s save_remote_file and fpd_admin_copy_file functions fail to validate or restrict file types during uploads, allowing attackers to upload malicious files such as PHP scripts to the server.
    • Impact:
      • Remote Code Execution (RCE): Enables attackers to execute arbitrary commands or scripts on the server.
    • Severity: Critical (CVSS 9.0).
    • Exploitation Details:
      • Exploitable via the webhook_create_pr_file function, which is exposed as a custom REST API endpoint.
      • Lack of permission checks in the endpoint allows unauthenticated attackers to upload files via a user-supplied URL.
  2. CVE-2024-51818: Unauthenticated SQL Injection
    • Description:
      The get_products_sql_attrs function fails to properly sanitize user input before constructing SQL queries, making the plugin vulnerable to SQL injection attacks.
    • Impact:
      • Database compromise, including data retrieval, modification, and deletion.
      • Potential for full site compromise if sensitive data like administrator credentials are accessed.
    • Severity: Critical (CVSS 9.3).
    • Exploitation Details:
      • Input from $_POST[‘fpd_filter_users_select’] is sanitized using the insufficient strip_tags function, allowing attackers to inject SQL code.
      • The injected SQL is processed via the $wpdb->get_results() query execution without proper escaping or validation.

Affected Versions

  • Fancy Product Designer Plugin: All versions up to and including 6.4.3.

Mitigation Recommendations

Until Radykal releases a security patch, users should implement the following mitigations:

  1. Disable the Fancy Product Designer Plugin:
    • Temporarily deactivate the plugin to prevent exploitation.
  2. Restrict File Uploads:
    • Implement a whitelist for allowed file extensions (e.g., .jpg, .png).
    • Configure the server to block execution of scripts in upload directories.
  3. Harden SQL Queries:
    • Use prepared statements and parameterized queries to sanitize user inputs.
    • Explicitly cast variables to their intended types (e.g., integers for IDs).
  4. Web Application Firewall (WAF):
    • Deploy a WAF to monitor and block malicious requests targeting file upload or SQL injection vulnerabilities.
  5. Monitor Logs and Activity:
    • Regularly review server logs for signs of unauthorized file uploads or suspicious database queries.
  6. Explore Alternative Plugins:
    • Consider replacing Fancy Product Designer with a more secure plugin offering similar functionality.

Exploitation Risk

The public disclosure of technical details and vulnerable code increases the likelihood of exploitation, especially for high-value WooCommerce sites. Exploiting these vulnerabilities could allow attackers to:

  • CVE-2024-51919: Execute commands or deploy malware via uploaded PHP scripts.
  • CVE-2024-51818: Exfiltrate sensitive database contents or manipulate site functionality.

Both vulnerabilities are unauthenticated, making exploitation feasible by remote attackers without credentials.

Best Practices for Developers

  1. File Upload Security:
    • Validate file names and extensions against a whitelist.
    • Verify the content type of uploaded files.
  2. SQL Query Security:
    • Always sanitize user input with prepared statements.
    • Avoid relying on string manipulation functions like strip_tags for SQL sanitization.
  3. Secure REST API Endpoints:
    • Implement strict permission checks for all exposed endpoints.
    • Validate and sanitize all inputs received via API calls.

Recommendations for Affected Users

  1. Immediate Action:
    • Disable the plugin until a patch is available or mitigations are implemented.
  2. Vendor Pressure:
    • Contact Radykal to request urgent resolution of these vulnerabilities.
  3. Long-Term Strategy:
    • Regularly audit WordPress plugins for vulnerabilities.
    • Subscribe to vulnerability databases like Patchstack for timely updates.