CVE-2021-24370

CRITICAL EXPLOITED IN THE WILD NUCLEI

Radykal Fancy Product Designer < 4.6.9 - Unrestricted File Upload

Title source: rule

Description

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

Nuclei Templates (1)

WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload

CRITICALby pikpikcu

References (5)

[Exploit, Mailing List, Third Party Advisory] https://lists.openwall.net/full-disclosure/2020/11/17/2

[Exploit, Mailing List, Third Party Advisory] https://seclists.org/fulldisclosure/2020/Nov/30

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38

[Exploit, Third Party Advisory] https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/

Scores

CVSS v3 9.8

EPSS 0.7979

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-06-01

InTheWild.io 2021-05-31

CWE

CWE-434

Status published

Products (1)

radykal/fancy_product_designer < 4.6.9

Published Jun 21, 2021

Tracked Since Feb 18, 2026