CVE-2021-4134

Name of the Vulnerable Software and Affected Versions The Fancy Product Designer WordPress plugin versions up to and including 4.7.4

Description The issue arises from insufficient escaping and parameterization of the ID parameter in the ~/inc/api/class-view.php file, allowing attackers with administrative level permissions to inject arbitrary SQL queries and obtain sensitive information.

Recommendations For versions up to and including 4.7.4, update to a version that addresses the SQL Injection issue to prevent exploitation. As a temporary workaround, consider restricting access to the ~/inc/api/class-view.php file to minimize the risk of exploitation. Avoid using the ID parameter in the affected API endpoint until the issue is resolved.