So I just read that the fancy product designer plugin has two major security flaws. Apparently, one lets hackers upload files (including PHP) and another allows them to run SQL commands directly on a WordPress database. Both are still unpatched in version 6.4.3. Patchstack researchers tried reaching out to the developer, but no response yet. If you’re using this plugin, might be a good idea to disable it for now.
Yikes. So they can basically take over your site with this?
Keaton said:
Yikes. So they can basically take over your site with this?
Yeah, the RCE part is super bad. They can upload any PHP file and run whatever they want.
Keaton said:
Yikes. So they can basically take over your site with this?
Yeah, the RCE part is super bad. They can upload any PHP file and run whatever they want.
RCE?
@Keaton
Remote Code Execution. Basically, it means they can run their own code on your server, which is really dangerous.
The SQL injection thing is just as bad. If they can send SQL commands, they could mess with your whole database.
Sky said:
The SQL injection thing is just as bad. If they can send SQL commands, they could mess with your whole database.
So like… they can delete stuff?
Sky said:
The SQL injection thing is just as bad. If they can send SQL commands, they could mess with your whole database.
So like… they can delete stuff?
Yep, or steal data, modify things… basically total access to your database.
Wait, the devs haven’t even responded to this yet? That’s wild.
Thayer said:
Wait, the devs haven’t even responded to this yet? That’s wild.
Nope. Patchstack reached out on March 18, 2024, and they still haven’t gotten a response. It was made public on Jan 8, 2025.
@Corey
So they’ve had months to fix it and still nothing?
If you have this plugin, just disable it. No patch means no fix, and you don’t wanna risk your site getting hacked.
Orin said:
If you have this plugin, just disable it. No patch means no fix, and you don’t wanna risk your site getting hacked.
Yeah, no point waiting. Might as well find a safer alternative.
Developers really need to start sanitizing inputs properly. SQL injection is such a basic thing to prevent.
Quinlan said:
Developers really need to start sanitizing inputs properly. SQL injection is such a basic thing to prevent.
Right? The function they used, strip_tags, doesn’t even stop SQL injection. Total fail.