CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2024-51818 – Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-51818
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2024-51919 – Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-51919
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.4.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22363 – WordPress Allada T-shirt Designer for Woocommerce plugin <= 1.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-22363
03 Jan 2025 — Missing Authorization vulnerability in ORION Allada T-shirt Designer for Woocommerce.This issue affects Allada T-shirt Designer for Woocommerce: from n/a through 1.1. The Allada T-shirt Designer for Woocommerce – Custom Product Designer for T-shirt personalization and design plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/allada-tshirt-designer-for-woocommerce/vulnerability/wordpress-allada-t-shirt-designer-for-woocommerce-plugin-1-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54225 – WordPress Designer plugin <= 1.3.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-54225
05 Dec 2024 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodegearThemes Designer allows PHP Local File Inclusion.This issue affects Designer: from n/a through 1.3.3. The Designer plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.4.1. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution... • https://patchstack.com/database/wordpress/plugin/designer/vulnerability/wordpress-designer-plugin-1-3-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52498 – WordPress SP Blog Designer plugin <= 1.0.0 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-52498
20 Nov 2024 — Path Traversal: '.../...//' vulnerability in Softpulse Infotech SP Blog Designer allows PHP Local File Inclusion.This issue affects SP Blog Designer: from n/a through 1.0.0. Path Traversal: la vulnerabilidad '.../...//' en Softpulse Infotech SP Blog Designer permite la inclusión de archivos locales PHP. Este problema afecta a SP Blog Designer: desde n/a hasta 1.0.0. The SP Blog Designer plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.0.0. This makes it possible... • https://patchstack.com/database/wordpress/plugin/sp-blog-designer/vulnerability/wordpress-sp-blog-designer-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve • CWE-35: Path Traversal: '.../...//' CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32591 – WordPress Backend Designer plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32591
16 Apr 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniele De Rosa Backend Designer allows Stored XSS.This issue affects Backend Designer: from n/a through 1.3. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Daniele De Rosa Backend Designer permite almacenar XSS. Este problema afecta a Backend Designer: desde n/a hasta 1.3. The Backend Designer plugin for WordPress is vulnerable ... • https://patchstack.com/database/vulnerability/backend-designer/wordpress-backend-designer-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31277 – WordPress Product Designer plugin <= 1.0.32 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-31277
05 Apr 2024 — Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32. Vulnerabilidad de deserialización de datos no confiables en PickPlugins Product Designer. Este problema afecta a Product Designer: desde n/a hasta 1.0.32. The Product Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.32 via deserialization of untrusted input. This makes it possible for unauthenticated attacke... • https://patchstack.com/database/vulnerability/product-designer/wordpress-product-designer-plugin-1-0-32-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11614
https://notcve.org/view.php?id=CVE-2020-11614
11 Jun 2020 — Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer. Reborn Hero Designer de Mids versión 2.6.0.7 descarga el manifiesto de actuali... • https://github.com/Crytilis/mids-reborn-hero-designer/releases • CWE-319: Cleartext Transmission of Sensitive Information CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11613
https://notcve.org/view.php?id=CVE-2020-11613
11 Jun 2020 — Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulnerability due to default and insecure permissions being set for the installation folder. By default, the Authenticated Users group has Modify permissions to the installation folder. Because of this, any user on the system can replace binaries or plant malicious DLLs to obtain elevated, or different, privileges, depending on the context of the user that runs the application. Reborn Hero Designer de Mids versión 2.6.0.7, presenta una vulnera... • https://github.com/Crytilis/mids-reborn-hero-designer/releases • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 10%CPEs: 1EXPL: 1CVE-2007-1620 – PHP DB Designer 1.02 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2007-1620
23 Mar 2007 — Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php. Múltiples vulnerabilidades PHP de inclusión remota de archivo en PHP DB Designer 1.02 y anteriores permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro (1)_SESSION[SITE_P... • https://www.exploit-db.com/exploits/3501 •