Article Details

Unpatched critical flaws impact Fancy Product Designer WordPress plugin. Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the plugin, Patchstack’s Rafie Muhammad discovered on March 17, 2024, that the plugin was vulnerable to the following two critical flaws: Despite Patchstack notifying the vendor of the issues a day after discovering them, Radykal never answered back. On January 6, Patchstack added the flaws to its database, and today published a blog post to warn users and raise awareness about the risks. Even after releasing 20 new versions, with the latest being 6.4.3, released 2 months ago, the two critical security issues remain unpatched, Muhammad says. Patchstack's writeup provides sufficient technical information for attackers to create exploits and start targeting web stores that use Radykal's Fancy Product Designer plugin. As a general recommendation, admins should prevent arbitrary file uploads by creating an allowed list with safe file extensions. Additionally, Patchstack recommends to protect against SQL injection by sanitizing the user's input for a query by doing a safe escape and format. BleepingComputer has contacted Radycal to ask if they plan on releasing a security update soon, but a comment wasn’t immediately available.