CVE-2021-4335
Severity CVSS v4.0:
Pending analysis
Type:
CWE-285
Improper Authorization
Publication date:
20/10/2023
Last modified:
08/04/2026
Description
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account.
Impact
Base Score 3.x
6.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:* | 4.7.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://support.fancyproductdesigner.com/support/discussions/topics/13000029981
- https://www.wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac?source=cve
- https://support.fancyproductdesigner.com/support/discussions/topics/13000029981
- https://www.wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac?source=cve