Unpatched critical flaws impact Fancy Product Designer WordPress plugin

Latest News on Fancy Product Designer WordPress Vulnerabilities

Critical Flaws in Fancy Product Designer Plugin:
The Fancy Product Designer WordPress plugin, developed by Radykal, has been identified with two critical severity flaws that remain unfixed in the current latest version4. These vulnerabilities include:

1. SQL Injection: The plugin is vulnerable to SQL injection attacks, which can allow attackers to execute malicious SQL code and potentially gain unauthorized access to the database.
2. Arbitrary File Upload: The plugin also allows for arbitrary file uploads, which can be exploited to upload malicious files that can be executed by the server, leading to further security breaches.

These critical flaws have significant implications for users of the Fancy Product Designer plugin, emphasizing the need for immediate action to mitigate these risks.

Recent WordPress Security Updates

WordPress Core Update:
WordPress 6.7.1 is available, featuring 16 bug fixes throughout Core and the Block Editor1. However, this update does not address the specific vulnerabilities in the Fancy Product Designer plugin.

Other Vulnerabilities:
Several other plugins have been identified with vulnerabilities that require updates:

1. Host PHP Info Plugin: A critical vulnerability was identified in the Host PHP Info plugin due to a missing capability check when including the 'phpinfo' function, allowing unauthorized access to data2.
2. Dynamics 365 Integration Plugin: This plugin is vulnerable to Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection, affecting all versions up to 1.3.232.
3. WP SecureSubmit Plugin: This plugin has two medium-severity vulnerabilities: Broken Access Control and Sensitive Data Exposure, with no patches available yet1.
4. Chative Live Chat and Chatbot Plugin: A cross-site request forgery (CSRF) vulnerability exists in this plugin, affecting installations of 50+ users1.
5. Fancy Product Designer Plugin: As mentioned, this plugin has two critical vulnerabilities: SQL Injection and Arbitrary File Upload, which remain unfixed4.

Mitigation Steps

1. Update Plugins: Users should update their plugins to the latest versions available. For example, the Fancy Product Designer plugin should be updated if a patch is released, and other plugins like Spectra, WPC Smart Quick View for WooCommerce, and AMP for WP should be updated to their respective patched versions13.
2. Use Security Tools: Utilize security tools like the Sucuri Firewall and virtual patches from Patchstack to protect against known vulnerabilities13.
3. Deactivate Vulnerable Plugins: If no patch is forthcoming from the vendor or if the vulnerable software has been marked “closed” and dropped from official repositories, users should deactivate the plugin and seek alternative solutions1.

Conclusion

The Fancy Product Designer plugin is currently vulnerable to critical flaws, and users are advised to take immediate action to mitigate these risks. Additionally, other plugins and themes have been identified with vulnerabilities that require updates. Regularly checking for security updates and using robust security tools can help protect WordPress installations from potential threats.