CVE-2024-0904 – This vulnerability in the Fancy Product Designe... (How to Fix)

Q: What is the severity of CVE-2024-0904?

CVE-2024-0904 has a CVSS score of 5.9 (MEDIUM). This vulnerability in the Fancy Product Designer WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability in the Fancy Product Designer WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

Fancy Product Designer WordPress plugin

Versions: All versions before 6.1.81

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator or equivalent high-privilege user. Particularly relevant in WordPress multisite setups where unfiltered_html is disallowed.

📦 What is this software?

Fancy Product Designer by Radykal

View all CVEs affecting Fancy Product Designer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Privileged user executes stored XSS to steal session cookies, redirect users, or deface the site.

🟢

If Mitigated

Limited impact if only trusted administrators exist and proper input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges. No public exploit code identified at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.81

Vendor Advisory: https://wpscan.com/vulnerability/baf4afc9-c20e-47d6-a798-75e15652d1e3/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Fancy Product Designer. 4. Click 'Update Now' if available, or manually update to version 6.1.81 or later.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily deactivate and remove the plugin if not essential

wp plugin deactivate fancy-product-designer
wp plugin delete fancy-product-designer

Restrict admin access

all

Limit administrator accounts to only trusted personnel

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Monitor administrator activities and plugin setting changes for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 6.1.81, you are vulnerable.

Check Version:

wp plugin get fancy-product-designer --field=version

Verify Fix Applied:

Confirm plugin version is 6.1.81 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin setting modifications by admin users
JavaScript payloads in plugin option values

Network Indicators:

Unexpected script loads from plugin-related pages
Suspicious outbound connections from admin sessions

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="fancy-product-designer"

📊 Metadata

CVE ID: CVE-2024-0904

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: May 6, 2024

Last Updated: May 8, 2025

🔗 References

https://wpscan.com/vulnerability/baf4afc9-c20e-47d6-a798-75e15652d1e3/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/baf4afc9-c20e-47d6-a798-75e15652d1e3/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0904, you might also want to check these: