CVE-2021-24370
published 2021-06-21CVE-2021-24370: The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
47.09%
98.7th percentile
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radykal | fancy_product_designer | < 4.6.9 | 4.6.9 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php
- →Probe for the vulnerable file custom-image-handler.php via unauthenticated GET request; a 200 response with body containing '{"error":"You need to define a directory' and Content-Type text/html confirms the vulnerable endpoint is exposed.
- →The vulnerability is actively exploited in the wild to upload malware onto vulnerable WordPress sites; monitor for unexpected file uploads via this plugin's endpoint. ↗
- →Unauthenticated arbitrary file upload is possible; monitor web server logs for POST requests to custom-image-handler.php from unauthenticated sessions. ↗
- ·The nuclei template targets plugin versions strictly before 4.6.9; sites running 4.6.9 or later are not vulnerable and will not match the detection signature.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5g3-h6vq-mcw4: The Fancy Product Designer WordPress plugin before 4
ghsa_unreviewed·2022-05-24
CVE-2021-24370 [CRITICAL] CWE-434 GHSA-x5g3-h6vq-mcw4: The Fancy Product Designer WordPress plugin before 4
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
VulnCheck
radykal fancy_product_designer Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-24370 [CRITICAL] radykal fancy_product_designer Unrestricted Upload of File with Dangerous Type
radykal fancy_product_designer Unrestricted Upload of File with Dangerous Type
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
Affected: radykal fancy_product_designer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
No detection rules found.
Nuclei
WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-24370 [CRITICAL] WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload
WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload
WordPress Fancy Product Designer plugin before 4.6.9 is susceptible to an arbitrary file upload. An attacker can upload malicious files and execute code on the server, modify data, and/or gain full control over a compromised system without authentication.
Template:
id: CVE-2021-24370
info:
name: WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload
author: pikpikcu
severity: critical
description: |
WordPress Fancy Product Designer plugin before 4.6.9 is susceptible to an arbitrary file upload. An attacker can upload malicious files and execute code on the server, modify data, and/or gain full control over a compromised system without authentication.
impact: |
Attackers can upload malicious files and execute arbit
Checkpoint
7th June – Threat Intelligence Report
blogs_checkpoint·2021-06-07
CVE-2021-30186 7th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has identified a new cyber espionage weapon called SharpPanda being used by a Chinese threat group, in an ongoing surveillance operation targeting a Southeast Asian government. The attack starts with spear phishing emails leveraging old Microsoft vulnerabilities.
Check Point Threat Emulation provides protect
Bugzilla
CVE-2020-24370 lua: segmentation fault in getlocal and setlocal functions in ldebug.c
bugzilla·2020-08-19·CVSS 5.3
CVE-2020-24370 [MEDIUM] CVE-2020-24370 lua: segmentation fault in getlocal and setlocal functions in ldebug.c
CVE-2020-24370 lua: segmentation fault in getlocal and setlocal functions in ldebug.c
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
Reference:
http://lua-users.org/lists/lua-l/2020-07/msg00324.html
Upstream commit:
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
Discussion:
Update pending for F31/F32, built for F33/F34.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4510 https://access.redhat.com/errata/RHSA-2021:4510
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-24370
https://lists.openwall.net/full-disclosure/2020/11/17/2https://seclists.org/fulldisclosure/2020/Nov/30https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/https://lists.openwall.net/full-disclosure/2020/11/17/2https://seclists.org/fulldisclosure/2020/Nov/30https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
2021-06-21
Published
Exploited in the wild