CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2024-51818 – Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-51818
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2024-51919 – Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-51919
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.4.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31277 – WordPress Product Designer plugin <= 1.0.32 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-31277
05 Apr 2024 — Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32. Vulnerabilidad de deserialización de datos no confiables en PickPlugins Product Designer. Este problema afecta a Product Designer: desde n/a hasta 1.0.32. The Product Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.32 via deserialization of untrusted input. This makes it possible for unauthenticated attacke... • https://patchstack.com/database/vulnerability/product-designer/wordpress-product-designer-plugin-1-0-32-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •