cbcvebase.
CVE-2021-4134
published 2022-02-16

CVE-2021-4134: The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the…

PriorityP430medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
1.42%
69.4th percentile
The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
fancy_product_designerfancy_product_designer4.7.4 – 4.7.4
radykalfancy_product_designer< 4.7.54.7.5

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.