CVE-2021-4134 - Vulnerability Details - OpenCVE

The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Radykal	Fancy Product Designer

Configuration 1 [-]

cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://support.fancyproductdesigner.com/support/discussions/topics/13000031264
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134

History

Fri, 31 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2022-02-16T16:38:05.000Z

Updated: 2025-01-31T19:04:19.198Z

Reserved: 2021-12-17T00:00:00.000Z

Link: CVE-2021-4134

Vulnrichment

Updated: 2024-08-03T17:16:04.245Z

NVD

Status : Modified

Published: 2022-02-16T17:15:11.377

Modified: 2024-11-21T06:36:58.570

Link: CVE-2021-4134

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fancy Product Designer ", "vendor": "Fancy Product Designer ", "versions": [{"lessThanOrEqual": "4.7.4", "status": "affected", "version": "4.7.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lin Yu"}], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-16T16:38:05.000Z", "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134"}, {"tags": ["x_refsource_MISC"], "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264"}], "solutions": [{"lang": "en", "value": "Update to version 4.7.5 or newer. "}], "source": {"discovery": "UNKNOWN"}, "title": "Fancy Product Designer <= 4.7.4 Admin+ SQL Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Wordfence", "ASSIGNER": "security@wordfence.com", "ID": "CVE-2021-4134", "STATE": "PUBLIC", "TITLE": "Fancy Product Designer <= 4.7.4 Admin+ SQL Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fancy Product Designer ", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.7.4", "version_value": "4.7.4"}]}}]}, "vendor_name": "Fancy Product Designer "}]}}, "credit": [{"lang": "eng", "value": "Lin Yu"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134", "refsource": "MISC", "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134"}, {"name": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264", "refsource": "MISC", "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264"}]}, "solution": [{"lang": "en", "value": "Update to version 4.7.5 or newer. "}], "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:04.245Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-31T19:04:12.476387Z", "id": "CVE-2021-4134", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-31T19:04:19.198Z"}}]}, "cveMetadata": {"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "assignerShortName": "Wordfence", "cveId": "CVE-2021-4134", "datePublished": "2022-02-16T16:38:05.000Z", "dateReserved": "2021-12-17T00:00:00.000Z", "dateUpdated": "2025-01-31T19:04:19.198Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:04.245Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-4134", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-31T19:04:12.476387Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-31T19:04:05.055Z"}}], "cna": {"title": "Fancy Product Designer <= 4.7.4 Admin+ SQL Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Lin Yu"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fancy Product Designer ", "product": "Fancy Product Designer ", "versions": [{"status": "affected", "version": "4.7.4", "versionType": "custom", "lessThanOrEqual": "4.7.4"}]}], "solutions": [{"lang": "en", "value": "Update to version 4.7.5 or newer. "}], "references": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134", "tags": ["x_refsource_MISC"]}, {"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2022-02-16T16:38:05.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Lin Yu"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "4.7.4", "version_value": "4.7.4", "version_affected": "<="}]}, "product_name": "Fancy Product Designer "}]}, "vendor_name": "Fancy Product Designer "}]}}, "solution": [{"lang": "en", "value": "Update to version 4.7.5 or newer. "}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134", "name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134", "refsource": "MISC"}, {"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264", "name": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-4134", "AKA": "Wordfence", "STATE": "PUBLIC", "TITLE": "Fancy Product Designer <= 4.7.4 Admin+ SQL Injection", "ASSIGNER": "security@wordfence.com"}}}}, "cveMetadata": {"cveId": "CVE-2021-4134", "state": "PUBLISHED", "dateUpdated": "2025-01-31T19:04:19.198Z", "dateReserved": "2021-12-17T00:00:00.000Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2022-02-16T16:38:05.000Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "577F7AEC-595D-4623-9CA2-4250F5EC747B", "versionEndExcluding": "4.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4."}, {"lang": "es", "value": "El plugin Fancy Product Designer de WordPress es vulnerable a la inyecci\u00f3n SQL debido a un escape y parametrizaci\u00f3n insuficientes del par\u00e1metro ID que se encuentra en el archivo ~/inc/api/class-view.php, lo que permite a atacantes con permisos de nivel administrativo inyectar consultas SQL arbitrarias para obtener informaci\u00f3n confidencial, en versiones hasta 4.7.4 incluy\u00e9ndola"}], "id": "CVE-2021-4134", "lastModified": "2024-11-21T06:36:58.570", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-16T17:15:11.377", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264"}, {"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000031264"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}