CVE-2021-4335 — Improper Authorization in Fancy Product Designer

CWE-285 — Improper Authorization3 documents3 sources

Severity

6.3MEDIUMNVD

EPSS

0.0%

top 85.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Radykal Fancy Product Designer

Timeline

PublishedOct 20

Description

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶NVDradykal/fancy_product_designer< 4.7.0

▶CVEListV5radykal/fancy_product_designer4.6.9

🔴Vulnerability Details

CVEList

Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions↗2023-10-20

▶

GHSA

GHSA-fm3x-qgq6-7xmf: The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capa↗2023-10-20

▶