CVE-2021-4096 — Cross-Site Request Forgery in Fancy Product Designer

CWE-352 — Cross-Site Request Forgery CWE-434 — Unrestricted File Upload CWE-402 — Resource Leak CWE-20 — Improper Input Validation CWE-131 — Incorrect Calculation of Buffer Size CWE-125 — Out-of-bounds Read10 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 70.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fancy-product-designer Fancy Product Designer Radykal Fancy Product Designer

Timeline

PublishedApr 19

Latest updateFeb 26

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDradykal/fancy_product_designer4.7.5

▶CVEListV5fancy-product-designer/fancy_product_designer4.7.5 — 4.7.5

🔴Vulnerability Details

GHSA

GHSA-h292-vmfp-f8m3: The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for↗2022-04-20

▶

CVEList

Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload↗2022-04-19

▶

📋Vendor Advisories

Red Hat

kernel: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()↗2025-02-26

▶

Red Hat

kernel: tcp: add sanity tests to TCP_QUEUE_SEQ↗2024-08-29

▶

Red Hat

kernel: scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()↗2024-04-10

▶

Red Hat

kernel: kfence: fix memory leak when cat kfence objects↗2024-03-04

▶

Red Hat

kernel: media: staging/intel-ipu3: Fix set_fmt error handling↗2024-02-27

▶