Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version.

With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size.

While examining the plugin, Patchstack’s Rafie Muhammad discovered on March 17, 2024, that the plugin was vulnerable to the following two critical flaws:

• CVE-2024-51919 (CVSS score: 9.0): Unauthenticated arbitrary file upload vulnerability caused by an insecure implementation of file upload functions ‘save_remote_file’ and ‘fpd_admin_copy_file,’ that do not properly validate or restrict file types. Attackers can exploit this by supplying a remote URL to upload malicious files, achieving remote code execution (RCE).
• CVE-2024-51818 (CVSS score: 9.3): Unauthenticated SQL injection flaw caused by the improper sanitization of user inputs due to the use of the insufficient ‘strip_tags.’ User-supplied input is directly integrated into database queries without proper validation, potentially leading to database compromise, data retrieval, modification, and deletion.

Despite Patchstack notifying the vendor of the issues a day after discovering them, Radykal never answered back.

On January 6, Patchstack added the flaws to its database, and today published a blog post to warn users and raise awareness about the risks.

Even after releasing 20 new versions, with the latest being 6.4.3, released 2 months ago, the two critical security issues remain unpatched, Muhammad says.

Patchstack's writeup provides sufficient technical information for attackers to create exploits and start targeting web stores that use Radykal's Fancy Product Designer plugin.

As a general recommendation, admins should prevent arbitrary file uploads by creating an allowed list with safe file extensions. Additionally, Patchstack recommends to protect against SQL injection by sanitizing the user's input for a query by doing a safe escape and format.

BleepingComputer has contacted Radycal to ask if they plan on releasing a security update soon, but a comment wasn’t immediately available.