CVE-2021-24370

Published: Jun 21, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

Affected (1)

Products: Radykal: Fancy Product Designer

Radykal

1 product

Fancy Product Designer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Radykal Fancy Product Designer	Before 4.6.9

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (10)

https://lists.openwall.net/full-disclosure/2020/11/17/2

Source: contact@wpscan.com

ExploitMailing ListThird Party Advisory

https://seclists.org/fulldisclosure/2020/Nov/30

Source: contact@wpscan.com

ExploitMailing ListThird Party Advisory

https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38

Source: contact@wpscan.com

ExploitThird Party Advisory

https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/

Source: contact@wpscan.com

ExploitThird Party Advisory

https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/

Source: contact@wpscan.com

ExploitThird Party Advisory

https://lists.openwall.net/full-disclosure/2020/11/17/2