Aggregates CVE and security vulnerability intelligence across all radykal-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk path handling, and vendor risk csrf and related problems; some flaws may lead to vendor impact file overwrite and vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-0904 | The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 5.9 | 0.44% | 2024-05-06 | 2025-05-08 |
| CVE-2024-0905 | The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users | [email protected] | 6.3 | 0.29% | 2024-04-26 | 2025-05-08 |
| CVE-2024-0902 | The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 4.8 | 0.12% | 2024-04-15 | 2025-04-07 |
| CVE-2024-0365 | The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators. | [email protected] | 6.5 | 0.32% | 2024-03-18 | 2025-05-05 |
| CVE-2021-4334 | The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation. | [email protected] | 8.8 | 0.11% | 2023-10-20 | 2026-04-08 |
| CVE-2021-4335 | The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own | [email protected] | 6.3 | 0.05% | 2023-10-20 | 2026-04-08 |
| CVE-2021-4096 | The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. | [email protected] | 8.8 | 0.11% | 2022-04-19 | 2024-11-21 |
| CVE-2021-4134 | The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4. | [email protected] | 7.2 | 1.23% | 2022-02-16 | 2024-11-21 |
| CVE-2021-24370 | The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. | [email protected] | 9.8 | 79.79% | 2021-06-21 | 2024-11-21 |