CVE-2021-24370

CRITICAL EXPLOITED IN THE WILD NUCLEI

Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2021-24370 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.

Description

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

Nuclei Templates (1)

WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload

CRITICALby pikpikcu

References (5)

Core 5

Core References

Exploit, Mailing List, Third Party Advisory

https://lists.openwall.net/full-disclosure/2020/11/17/2

Exploit, Mailing List, Third Party Advisory

https://seclists.org/fulldisclosure/2020/Nov/30

Exploit, Third Party Advisory

https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38

Exploit, Third Party Advisory

https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/

Exploit, Third Party Advisory

https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/

Scores

CVSS v3 9.8

EPSS 0.4709

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-06-01

InTheWild.io 2021-05-31

CWE

CWE-434

Status published

Products (1)

radykal/fancy_product_designer < 4.6.9

Published Jun 21, 2021

Tracked Since Feb 18, 2026