January 9, 2025 By Sead Fadilpašić
Even though the bug was found in March 2024, it's still present in new versions
(Image credit: Pixabay)
- Researchers from Patchstack find two new flaws in Fancy Product Designer
- The Radykal-built WordPress plugin has more than 20,000 active users
- The flaws allowed for remote code execution, arbitrary file upload, and more
A popular WordPress plugin was found carrying two critical vulnerabilities that allow threat actors to upload files, tamper with databases, and essentially take over compromised websites.
To make matters worse, the vulnerabilities remained in the code for more than half a year, despite the developers being notified, and actively working on new versions in the meantime.
Cybersecurity researchers from Patchstack claim in late March 2024, they discovered two vulnerabilities in Fancy Product Designer, a premium website builder plugin developed by Radykal, which allows users to create and customize products, such as t-shirts, mugs, or posters, with various design tools and options for e-commerce stores. It has more than 20,000 sales.
