CVE-2024-0902 in Fancy Product Designer Plugininfo

Summary

by MITRE • 04/15/2024

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/07/2025

The Fancy Product Designer WordPress plugin versions prior to 6.1.81 contain a critical security vulnerability that stems from inadequate input sanitization and output escaping mechanisms within its administrative settings. This vulnerability specifically affects high-privilege users including administrators who possess the unfiltered_html capability, though it can be exploited even when this capability is restricted in multisite configurations. The flaw represents a classic stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into the plugin's settings which are then executed whenever the affected pages are loaded by other users.

The technical implementation of this vulnerability occurs within the plugin's administrative interface where user inputs are not properly validated or escaped before being stored in the database and subsequently rendered in the web browser. When administrators configure product design elements through the Fancy Product Designer interface, the plugin fails to sanitize the data entered into various fields, particularly those related to custom CSS, JavaScript, or HTML content. This insufficient sanitization creates an environment where malicious scripts can persist in the database and execute in the context of other users' browsers, particularly those with administrative privileges or those who might view product designs created by compromised administrators.

The operational impact of this vulnerability extends beyond simple XSS exploitation as it provides attackers with elevated privileges within the WordPress environment. When combined with the fact that the vulnerability persists even in multisite setups where unfiltered_html is typically restricted, attackers can potentially compromise entire network installations. The stored nature of the XSS attack means that the malicious payloads remain active until manually removed from the database, allowing for persistent exploitation over extended periods. This vulnerability particularly affects organizations that rely on WordPress multisite installations for managing multiple domains or networks, where administrators might assume that capability restrictions provide adequate protection against such attacks.

Security practitioners should consider this vulnerability in relation to the CWE-79 category of Cross-Site Scripting, which specifically addresses the injection of malicious scripts into web applications. The ATT&CK framework categorizes this as a technique for code injection within the Execution phase, specifically under T1059.001 for command and scripting interpreter. The vulnerability also aligns with the OWASP Top Ten 2021 category A03:2021 - Injection, as the lack of proper input sanitization creates an injection vector for malicious code. Organizations should prioritize patching this vulnerability as soon as possible, particularly in environments where multiple administrators have access to plugin settings. The recommended mitigation includes updating to version 6.1.81 or later, implementing additional input validation at the network level, and monitoring for suspicious activity in plugin settings. Additionally, administrators should consider implementing role-based access controls to limit who can modify plugin configurations, though this should not be considered a substitute for proper patching and sanitization of the underlying vulnerability.

Reservation

01/25/2024

Disclosure

04/15/2024

Moderation

accepted

CPE

ready

EPSS

0.00441

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!