LiveActive security incident?Get immediate response
CVE Record

CVE-2021-4334: Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A logged-in low-privileged WordPress user could change important site settings in Fancy Product Designer versions through 4.6.9. The reported impact includes changing the default role to administrator, which can turn ordinary account creation into site takeover risk.

Executive priority

Treat this as urgent for public or customer-login WordPress sites. A basic account could potentially alter site options and enable administrator access, creating business risk around site integrity, customer trust, and recovery effort.

Technical view

CVE-2021-4334 is a missing authorization check in the plugin's fpd_update_options function. Authenticated users with subscriber-level permissions can modify WordPress options. The source rates it CVSS 8.8 high under CWE-285, with confidentiality, integrity, and availability impacts.

Likely exposure

Exposure is likely on WordPress sites running Fancy Product Designer up to and including 4.6.9, especially sites with subscriber accounts, customer logins, memberships, or open registration.

Exploitation context

The supplied sources do not show KEV listing or confirmed active exploitation. The weakness is still serious because it needs only low-privileged authenticated access and can alter security-sensitive site options.

Researcher notes

Evidence names fpd_update_options and missing capability checks, but the bundle does not include patch diff, proof of exploitation, or exact fixed release. Validate using version inventory, vendor advisory review, and configuration audit rather than offensive reproduction.

Mitigation direction

  • Check vendor and Wordfence guidance for the fixed version, then update the plugin.
  • Disable open registration until the plugin is remediated or exposure is confirmed absent.
  • Limit subscriber-level account creation and remove unnecessary low-privileged accounts.
  • Review WordPress default role and administrator accounts for unauthorized changes.
  • Restore unexpected option changes from known-good backups where needed.

Validation and detection

  • Inventory all WordPress sites for Fancy Product Designer plugin versions.
  • Confirm no deployed instance is running version 4.6.9 or earlier.
  • Review the WordPress default_role option for unexpected administrator configuration.
  • Audit administrator accounts created after the exposure window began.
  • Check plugin change logs or vendor notes to confirm the authorization fix.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-285: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Privilege behavior lookup

The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-4334 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2021-4334Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
radykalFancy Product Designer0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-285 · source CWE mapping

Improper Authorization

Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.