Two critical vulnerabilities have been discovered in the popular WordPress plugin Fancy Product Designer, developed by Radykal, which remain unpatched in the latest version. This plugin, sold over 20,000 times, enables users to customize product designs—such as apparel, mugs, and phone cases—on WooCommerce sites by modifying colors, text, or element sizes.
On March 17, 2024, Patchstack researchers identified the following critical vulnerabilities:
- CVE-2024-51919 (CVSS: 9.0): An unauthenticated arbitrary file upload vulnerability. File upload functions, such as
save_remote_fileandfpd_admin_copy_file, lack adequate file type validation, allowing attackers to upload malicious files from remote URLs. This can result in remote code execution (RCE). - CVE-2024-51818 (CVSS: 9.3): An unauthenticated SQL injection vulnerability. Insufficient sanitization of user input, caused by inadequate use of the
strip_tagsfunction, permits malicious queries to be injected into the database. This could lead to database compromise, including theft, modification, or deletion of data.
Despite Patchstack notifying the developers of these issues on March 18, 2024, Radykal has yet to respond. The vulnerabilities were subsequently added to Patchstack’s database in January 2025, and on January 6, a detailed report was published to warn users of the risks.
Even after multiple updates, including the latest version (6.4.3) released two months ago, these critical issues remain unresolved.
Patchstack advises administrators to take the following measures to mitigate security risks:
- Restrict arbitrary file uploads by implementing a whitelist of allowed file extensions.
- Safeguard databases against SQL injection by sanitizing and validating user input using secure coding practices.
