WordPress Plugin Vulnerabilities

Fancy Product Designer < 4.7.0 - Subscriber+ Unauthorized Access and Modification

Description

The plugin does not perform capability checks on multiple AJAX functions, leading to potential unauthorized access to data and changes to plugin settings. This can result in authenticated users with low-level permissions, such as subscribers, retrieving arbitrary order information or altering products, orders, and sensitive information not associated with their account.

Affects Plugins

Plugin icon
fancy-product-designer
Fixed in 4.7.0

References

CVE
CVE-2021-4335
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
86b3dd69-8890-4da2-9f51-470e2729afd1

Timeline

Publicly Published
2023-04-05 (about 3 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-15
Title
Popup by Supsystic < 1.10.30 - Admin+ Remote Code Execution
Published
2014-08-01
Title
Email Newsletter <= 8.0 - Information Disclosure
Published
2025-01-30
Title
Single-user-chat <= 0.5 - Authenticated (Subscriber+) Limited Options Update
Published
2014-08-01
Title
Wordpress 2.5 - Cookie Integrity Protection
Published
2025-05-30
Title
Profitori 2.0.6.0 - 2.1.1.3 - Unauthenticated Privilege Escalation