CVE-2021-4096

Published: Apr 19, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.

Affected (1)

Products: Radykal: Fancy Product Designer

1 product

Fancy Product Designer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Radykal Fancy Product Designer	Up to 4.7.5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://support.fancyproductdesigner.com/support/discussions/topics/13000031615

Source: security@wordfence.com

Release NotesVendor Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4096

Source: security@wordfence.com

Third Party Advisory

https://support.fancyproductdesigner.com/support/discussions/topics/13000031615

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4096

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.