CVE-2021-24370
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- January 14, 2021
- Published Date
- June 21, 2021
- Last Updated
- August 03, 2024
- Vendor
- Unknown
- Product
- Fancy Product Designer
- Description
- The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
- Tags
- Score
- 83.45% (Percentile: 99.21%) as of 2025-05-12
- Exploited in the Wild
- Yes (2021-06-01 08:59:19 UTC) Source
wordpress
nuclei_scanner
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
7.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Score
Exploit Status
References
https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38
https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
https://lists.openwall.net/full-disclosure/2020/11/17/2
https://seclists.org/fulldisclosure/2020/Nov/30
https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| Wordfence | 2021-06-01 08:59:19 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24370.yaml | 2025-04-26 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
Added to KEVIntel
-
CVE Published to Public
-
Detected by Nuclei