Ram Gall

Researcher fromWordfence
#10135of 53,634
27.3Total CVSS
Vulnerabilities · 3
High
1
Critical
2
PT-2021-15906
9.8
2021-06-21
Unknown · Fancy Product Designer · CVE-2021-24370
**Name of the Vulnerable Software and Affected Versions** Fancy Product Designer versions prior to 4.6.9 **Description** The issue allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. **Recommendations** For versions prior to 4.6.9, update to version 4.6.9 or later to resolve the issue.
PT-2021-15876
7.5
2021-06-07
WordPress · Wp Statistics · CVE-2021-24340
**Name of the Vulnerable Software and Affected Versions** WP Statistics WordPress plugin versions prior to 13.0.8 **Description** The issue arises from the WP Statistics WordPress plugin's improper use of the WordPress esc sql() function on a field not delimited by quotes, without first preparing the query. Furthermore, a page intended for administrator access was also accessible to any visitor, including unauthenticated ones. **Recommendations** For WP Statistics WordPress plugin versions prior to 13.0.8, update to version 13.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected page to only authenticated administrators until the update is applied.
PT-2020-6318
10
2020-09-09
WordPress · Wp File Manager · CVE-2020-25213
**Name of the Vulnerable Software and Affected Versions** wp-file-manager plugin versions prior to 6.9 **Description** The issue allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. The issue was exploited in the wild in August and September 2020. Approximately 42% of users who installed the plugin were still vulnerable to this attack at the time of a post about it. **Recommendations** For versions prior to 6.9, update the wp-file-manager plugin to version 6.9 or later to resolve the issue. As a temporary workaround, consider disabling the elFinder upload functionality until a patch is available. Restrict access to the wp-content/plugins/wp-file-manager/lib/files/ directory to minimize the risk of exploitation. Avoid using the elFinder connector file with the .php extension in the affected plugin until the issue is resolved.