WordPress Fancy Product Designer premium plugin <= 4.6.8 - Unauthenticated Arbitrary File Upload and Remote Code Execution (RCE) vulnerabilities

fancy-product-designer

Software
Fancy Product Designer
Versions
<= 4.6.8
Disclosure date
2021-06-01
CVE
CVE-2021-24370
References
Credits
Classification
Remote Code Execution (RCE)
OWASP Top 10
A1: Injection
CVSS 3.0 score

9.8

Critical

Can be exploited remotely without any authentication.

Are your websites subject to this vulnerability?

Details

Unauthenticated Arbitrary File Upload and Remote Code Execution (RCE) vulnerabilities discovered by WordFence in WordPress Fancy Product Designer premium plugin (versions <= 4.6.8).

Solution

June 2, 2021 - no information about the patched version available.

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.