WordPress Plugin Vulnerabilities

Fancy Product Designer < 4.7.0 - Subscriber+ Unauthorized Site Options Modification

Description

The plugin does not properly implement capability checks on the fpd_update_options function. This can result in unauthorized modification of site options by authenticated users with subscriber-level permissions, including the ability to escalate privileges by setting the default role to administrator.

Affects Plugins

Plugin icon
fancy-product-designer
Fixed in 4.7.0

References

CVE
CVE-2021-4334
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
39efd617-348b-4c1d-b767-2c93e697a55b

Timeline

Publicly Published
2023-04-05 (about 3 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2014-09-21
Title
MailPoet Newsletters 2.6.7 - helpers/back.php page Parameter Unspecified Issue
Published
2014-08-01
Title
PICA Photo Gallery - Remote File Disclosure
Published
2020-03-11
Title
Font Awesome 4.0.0-RC15 & RC16 - API Token & Access Token Disclosure
Published
2014-08-01
Title
vTiger - CRM Lead Capture Unspecified
Published
2014-04-28
Title
TinyMCE Color Picker 1.1 - tinymce-colorpicker.php Missing edit_others_posts Capability Check