Lucene search

WordfenceVULNRICHMENT:CVE-2021-4334

HistoryOct 20, 2023 - 7:29 a.m.

CVE-2021-4334

2023-10-2007:29:38

Wordfence

github.com

wordpress

fancy product designer

unauthorized modification

site options

privilege escalation

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

25.7%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.

References

support.fancyproductdesigner.com/support/discussions/topics/13000029981

www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21?source=cve

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

25.7%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2021-4334