CVE-2021-4334
Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.
El complemento Fancy Product Designer para WordPress es vulnerable a modificaciones no autorizadas de las opciones del sitio debido a una falta de verificación de capacidad en la función fpd_update_options en versiones hasta la 4.6.9 incluida. Esto hace posible que los atacantes autenticados con permisos a nivel de suscriptor modifiquen las opciones del sitio, incluida la configuración del rol predeterminado de administrador, lo que puede permitir la escalada de privilegios.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-04-05 CVE Reserved
- 2023-04-05 CVE Published
- 2024-09-11 CVE Updated
- 2024-10-26 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-863: Incorrect Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://support.fancyproductdesigner.com/support/discussions/topics/13000029981 | Release Notes | |
| https://www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21?source=cve | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Radykal Search vendor "Radykal" | Fancy Product Designer Search vendor "Radykal" for product "Fancy Product Designer" | < 4.7.0 Search vendor "Radykal" for product "Fancy Product Designer" and version " < 4.7.0" | wordpress |
Affected
| ||||||