CVE-2024-51818

CRITICAL

Fancy Product Designer <6.4.3 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-51818. PoCs published by iSee857, RandomRobbieBF.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates remote command execution (RCE) via crafted HTTP requests. The code includes proper error handling, threading for batch scanning, and payload delivery mechanisms.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in radykal Fancy Product Designer fancy-product-designer.This issue affects Fancy Product Designer: from n/a through <= 6.4.3.

Exploits (2)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/WordPressFancyProductDesigner_CVE-2024-51818_SqlInjection.py

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates remote command execution (RCE) via crafted HTTP requests. The code includes proper error handling, threading for batch scanning, and payload delivery mechanisms.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (CVE-2026-22812), Altenergy (CVE-2024-11305), and others

No auth needed

Prerequisites: Network access to target · Target service running and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-51818

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2024-51818, an unauthenticated SQL injection vulnerability in the Fancy Product Designer WordPress plugin (versions up to 6.4.3). The PoC uses sqlmap to demonstrate exploitation via the 'product_id' parameter in an AJAX request.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Fancy Product Designer WordPress plugin <= 6.4.3

No auth needed

Prerequisites: Access to the target WordPress site · sqlmap installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.1541

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

NotFound/Fancy Product Designer < 6.4.3

radykal/Fancy Product Designer < 6.4.3

Published Jan 21, 2025

Tracked Since Feb 18, 2026