The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4334
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.
2023-10-20T08:15:11Z

Source: CVEAnnouncements
Source Link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4334