CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4334 – Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options
https://notcve.org/view.php?id=CVE-2021-4334
05 Apr 2023 — The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation. El complemento Fancy Product Designer para WordPress es vulnerable a modificaciones no autorizad... • https://support.fancyproductdesigner.com/support/discussions/topics/13000029981 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4335 – Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions
https://notcve.org/view.php?id=CVE-2021-4335
05 Apr 2023 — The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account. El... • https://support.fancyproductdesigner.com/support/discussions/topics/13000029981 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4096 – Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-4096
14 Apr 2022 — The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. El plugin Fancy Product Designer para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery por medio de la clase FPD_Admin_Import que hace posible que atacantes suban archivos maliciosos que podrían ser usados pa... • https://support.fancyproductdesigner.com/support/discussions/topics/13000031615 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 1CVE-2021-4134 – Fancy Product Designer <= 4.7.4 Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-4134
08 Feb 2022 — The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4. El plugin Fancy Product Designer de WordPress es vulnerable a la inyección SQL debido a un escape y parametrización insuficientes del parámetro ID que se encue... • https://support.fancyproductdesigner.com/support/discussions/topics/13000031264 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 83%CPEs: 1EXPL: 5CVE-2021-24370 – Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
https://notcve.org/view.php?id=CVE-2021-24370
01 Jun 2021 — The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. El plugin Fancy Product Designer de WordPress versiones anteriores a 4.6.9, permite a atacantes no autenticados cargar archivos arbitrarios, resultando en una ejecución de código remota • https://lists.openwall.net/full-disclosure/2020/11/17/2 • CWE-434: Unrestricted Upload of File with Dangerous Type •