CVE-2024-51818: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2024-51818) was discovered in the Fancy Product Designer WordPress plugin affecting versions up to 6.4.3. The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries in the WordPress site's database. This critical vulnerability was discovered by Rafie Muhammad and publicly disclosed on January 3, 2025 (Patchstack Database).

The vulnerability exists in the get_products_sql_attrs function where the $_POST['fpd_filter_users_select'] variable is passed to the $where parameter for the user_id query with insufficient sanitization. The function only uses strip_tags to sanitize the value, which is inadequate for preventing SQL injection as it merely strips HTML, XML, and PHP tags. The value is then constructed without proper quotes in the SQL query and directly processed in the get_products function through $wpdb->get_results() query execution. The vulnerability has received a CVSS v3.1 base score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L (Patchstack Article).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries in the database of the WordPress site. This could potentially lead to unauthorized access to sensitive information stored in the database, manipulation of data, and possible compromise of the entire WordPress installation (Patchstack Database).

Users are advised to update to version 6.4.4 or later which contains the fix for this vulnerability. If immediate updating is not possible, it is recommended to delete or deactivate the plugin until the patch can be applied. Patchstack customers are protected from this vulnerability through virtual patching (Patchstack Article).