CVE-2021-4335

Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account.

El complemento Fancy Product Designer para WordPress es vulnerable al acceso no autorizado a los datos y a la modificación de la configuración del complemento debido a una falta de verificación de capacidad en múltiples funciones AJAX en versiones hasta la 4.6.9 incluida. Esto hace posible que atacantes autenticados con permisos a nivel de suscriptor modifiquen la configuración del complemento, incluida la recuperación de información de pedidos arbitraria o la creación/actualización/eliminación de productos, pedidos u otra información confidencial no asociada con su propia cuenta.

*Credits: Ramuel Gall

CVSS Scores

NISTv3.1 6.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-04-05 CVE Reserved
2023-04-05 CVE Published
2024-09-11 CVE Updated
2024-10-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-285: Improper Authorization

CAPEC

References (2)

URL	Tag	Source
https://support.fancyproductdesigner.com/support/discussions/topics/13000029981	Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac?source=cve	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Radykal Search vendor "Radykal"		Fancy Product Designer Search vendor "Radykal" for product "Fancy Product Designer"				< 4.7.0 Search vendor "Radykal" for product "Fancy Product Designer" and version " < 4.7.0"		wordpress		Affected