Cyber Resilience

CVE-2024-51818

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.1926 95.5th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51818 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-51818 is an unauthenticated SQL injection vulnerability (CWE-89) in the Fancy Product Designer WordPress plugin developed by radykal. The flaw stems from improper neutralization of special elements in SQL commands and affects all versions through 6.4.3, carrying a CVSS 3.1 score of 9.3 that reflects network-accessible attack vectors with no required authentication or user interaction and a changed scope.

An attacker can send crafted requests directly to the plugin endpoints to execute arbitrary SQL queries against the database. Successful exploitation yields high confidentiality impact, including potential extraction of sensitive data, along with limited availability effects, all without any prior credentials or user involvement.

The Patchstack advisory for this issue identifies the vulnerability in the WordPress plugin up to version 6.4.3 and frames it as an unauthenticated SQL injection exposure, directing users to apply the vendor-supplied update that resolves the flaw.

The associated EPSS score sits at 0.1926 with no material increase from its recorded peak, indicating moderate but stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in radykal Fancy Product Designer fancy-product-designer.This issue affects Fancy Product Designer: from n/a through <= 6.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Unauthenticated SQL injection in public-facing WordPress plugin directly enables remote exploitation of web apps (T1190) for unauthorized database data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection in Fancy Product Designer by requiring validation and sanitization of untrusted inputs used in SQL commands.

prevent

Ensures timely patching of the specific SQL injection flaw (CVE-2024-51818) in the Fancy Product Designer WordPress plugin versions <=6.4.3.

detect

Vulnerability scanning identifies the unauthenticated SQL injection vulnerability in the plugin, enabling proactive remediation.

References