cbcvebase.
CVE-2021-24370
published 2021-06-21

CVE-2021-24370: The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
47.09%
98.7th percentile
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
radykalfancy_product_designer< 4.6.94.6.9

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php
  • Probe for the vulnerable file custom-image-handler.php via unauthenticated GET request; a 200 response with body containing '{"error":"You need to define a directory' and Content-Type text/html confirms the vulnerable endpoint is exposed.
  • The vulnerability is actively exploited in the wild to upload malware onto vulnerable WordPress sites; monitor for unexpected file uploads via this plugin's endpoint.
  • Unauthenticated arbitrary file upload is possible; monitor web server logs for POST requests to custom-image-handler.php from unauthenticated sessions.
  • ·The nuclei template targets plugin versions strictly before 4.6.9; sites running 4.6.9 or later are not vulnerable and will not match the detection signature.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.