WordPress Plugin Vulnerabilities

Fancy Product Designer < 4.7.6 - Arbitrary File Upload via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server via a CSRF attack

Affects Plugins

Plugin icon
fancy-product-designer
Fixed in 4.7.6

References

CVE
CVE-2021-4096
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4096

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lin Yu
Verified
No
WPVDB ID
69802ce1-5c3a-44e5-b007-98cc5a9d9d8f

Timeline

Publicly Published
2022-04-14 (about 4 years ago)
Added
2022-04-15 (about 4 years ago)
Last Updated
2022-04-18 (about 4 years ago)

Other

Published
Title
Published
2022-05-23
Title
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
Published
2023-12-28
Title
Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF
Published
2024-12-02
Title
Paloma Widget <= 1.14 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-06-19
Title
Form Builder <= 1.9.9.0 - CSRF
Published
2025-02-24
Title
WooCommerce Recargo de Equivalencia <= 1.6.24 - Cross-Site Request Forgery