Lin Yu

**Name of the Vulnerable Software and Affected Versions** The Fancy Product Designer plugin for WordPress versions up to, and including, 4.7.5 **Description** The issue allows attackers to perform Cross-Site Request Forgery via the FPD Admin Import class, enabling them to upload malicious files. These files could potentially be used to gain webshell access to a server. **Recommendations** For versions up to, and including, 4.7.5, update to a version higher than 4.7.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Fancy Product Designer WordPress plugin versions up to and including 4.7.4 **Description** The issue arises from insufficient escaping and parameterization of the `ID` parameter in the ~/inc/api/class-view.php file, allowing attackers with administrative level permissions to inject arbitrary SQL queries and obtain sensitive information. **Recommendations** For versions up to and including 4.7.4, update to a version that addresses the SQL Injection issue to prevent exploitation. As a temporary workaround, consider restricting access to the ~/inc/api/class-view.php file to minimize the risk of exploitation. Avoid using the `ID` parameter in the affected API endpoint until the issue is resolved.