WordPress Plugin Vulnerabilities

Fancy Product Designer < 4.7.5 - Admin+ SQL Injection

Description

The plugin is vulnerable to SQL Injection due to insufficient escaping and validation of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information.

Affects Plugins

Plugin icon
fancy-product-designer
Fixed in 4.7.5

References

CVE
CVE-2021-4134
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lin Yu
Verified
Yes
WPVDB ID
810b0195-9d0e-429f-9e65-b685a4b56277

Timeline

Publicly Published
2022-02-08 (about 4 years ago)
Added
2022-02-08 (about 4 years ago)
Last Updated
2022-04-13 (about 4 years ago)

Other

Published
Title
Published
2026-01-16
Title
Advanced Ads – Ad Manager & AdSense < 2.0.16 - Authenticated (Admin+) SQL Injection
Published
2023-01-19
Title
WP TopBar <= 5.36 - Admin+ SQLi
Published
2024-06-19
Title
Media Library Assistant < 3.17 - Authenticated (Contributor+) SQL Injection via order Parameter
Published
2025-07-01
Title
NGG Smart Image Search < 3.4.3 - Unauthenticated SQL Injection
Published
2025-01-24
Title
Form Builder CP < 1.2.42 - Authenticated (Contributor+) SQL Injection