Home Cyber Security Vulnerabilities persist in Fancy Product Designer WordPress plugin: Unaddressed security weaknesses put users at risk of cyber attacks.

Vulnerabilities persist in Fancy Product Designer WordPress plugin: Unaddressed security weaknesses put users at risk of cyber attacks.

admin
-
0
Vulnerabilities persist in Fancy Product Designer WordPress plugin: Unaddressed security weaknesses put users at risk of cyber attacks.

Unpatched critical flaws impact Fancy Product Designer WordPress plugin

The Premium WordPress plugin Fancy Product Designer from Radykal remains vulnerable to two critical severity flaws, despite being in its latest unpatched version.

With over 20,000 gross sales, this plugin offers unparalleled flexibility, empowering users to tailor product designs through Customize products (such as clothes, mugs, and phone cases) on WooCommerce sites by adjusting colors, rewording text, or resizing dimensions.

Noting a vulnerability analysis conducted by Rafie Muhammad of Patchstack on March 17, 2024, it was discovered that the plugin harbored two critical flaws.

  • Unauthenticated remote files can be added to a system, posing a significant risk (CVSS rating: 9.0), due to the insecure design of the ‘save_remote_file’ and ‘fpd_admin_copy_file’ functionalities, which fail to properly verify or restrict file types. Attackers can potentially exploit this vulnerability by providing a remote URL to inject malicious data, thereby achieving distant code execution (RCE).

  • A severe unauthenticated SQL injection vulnerability (CVSS rating: 9.3) arises from the inadequate use of ‘strip_tags’ for sanitizing user inputs, which allows person-supplied data to be immediately incorporated into database queries without proper validation, thereby posing a high risk of compromising the database, including unauthorized access, data retrieval, modification, and deletion.

Despite Patchstack’s prompt notification to the seller about the issues just a day later, Radykal remained completely unresponsive and failed to provide any further communication.

On January 6, Patchstack promptly incorporated the vulnerabilities into its database and published an urgent blog post alerting customers and raising awareness about the risks.

Even two months after the release of 20 new software variations, including the latest version 6.4.3, two critical security vulnerabilities remain unpatched, according to Muhammad.

Attackers now have sufficient technical information to craft exploits and focus on targeting online stores that utilize Radykal’s Fancy Product Designer plugin.

Admins should implement strict controls on file uploads by configuring whitelisted extensions and permitted MIME types, thereby preventing unauthorized uploads that could compromise system security. Moreover, Patchstack advises guarding against SQL injection by sanitising user input through secure escaping and formatting.

BleepingComputer reached out to Radycal to inquire about their plans for a timely security patch release, but no immediate comment was available.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

© Newspaper WordPress Theme by TagDiv