CVE-2024-51919

CVE-2024-51919 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in radykal's Fancy Product Designer WordPress plugin (fancy-product-designer). The issue affects all versions of the plugin from n/a through 6.4.3 inclusive. It carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, no required privileges or user interaction, high attack complexity, and significant impacts across confidentiality, integrity, availability, and scope change.

Unauthenticated attackers can exploit this vulnerability remotely by uploading arbitrary files with dangerous types, potentially leading to server compromise such as remote code execution or other malicious actions depending on the uploaded payload. The high attack complexity (AC:H) suggests exploitation requires specific conditions or techniques, but the lack of authentication barriers (PR:N) and changed scope (S:C) amplify the potential for widespread impact on affected WordPress sites.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve provides details on this unauthenticated arbitrary file upload vulnerability in Fancy Product Designer version 6.4.3 and earlier, including recommended mitigations such as applying available patches or updates.