Filtered by vendor Radykal
Subscribe
Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-4335 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | N/A | 6.3 MEDIUM |
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account. | |||||
CVE-2021-4334 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | N/A | 8.8 HIGH |
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation. | |||||
CVE-2021-4134 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4. | |||||
CVE-2021-4096 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. | |||||
CVE-2021-24370 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. |