CVE-2021-4134

Опубликовано: 16 фев. 2022

Источник: nvd

CVSS3: 7.2

CVSS3: 4.9

CVSS2: 4

EPSS Низкий

Описание

The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

Ссылки

https://support.fancyproductdesigner.com/support/discussions/topics/13000031264
Release Notes
Vendor Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134
Exploit
Third Party Advisory
https://support.fancyproductdesigner.com/support/discussions/topics/13000031264
Release Notes
Vendor Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:*

Версия до 4.7.5 (исключая)

EPSS

Процентиль: 83%

0.02027

Низкий

7.2 High

CVSS3

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-mp27-fcc3-85qx

github

почти 4 года назад

EPSS

Процентиль: 83%

0.02027

Низкий

7.2 High

CVSS3

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-89