The plugin is vulnerable to SQL Injection due to insufficient escaping and validation of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information.
CPE | Name | Operator | Version |
---|---|---|---|
fancy-product-designer | lt | 4.7.5 |