CVE-2021-4334

Name of the Vulnerable Software and Affected Versions The Fancy Product Designer plugin for WordPress versions up to, and including, 4.6.9

Description The issue allows unauthorized modification of site options due to a missing capability check on the fpd update options function. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator, which can allow privilege escalation.

Recommendations For versions up to, and including, 4.6.9, update to a version higher than 4.6.9 to resolve the issue. As a temporary workaround, consider disabling the fpd update options function until a patch is available. Restrict access to site options to minimize the risk of exploitation. Avoid using the default role setting in the affected site options until the issue is resolved.