Security readout for executives and security teams
Plain-English summary
A logged-in low-privileged WordPress user could change important site settings in Fancy Product Designer versions through 4.6.9. The reported impact includes changing the default role to administrator, which can turn ordinary account creation into site takeover risk.
Executive priority
Treat this as urgent for public or customer-login WordPress sites. A basic account could potentially alter site options and enable administrator access, creating business risk around site integrity, customer trust, and recovery effort.
Technical view
CVE-2021-4334 is a missing authorization check in the plugin's fpd_update_options function. Authenticated users with subscriber-level permissions can modify WordPress options. The source rates it CVSS 8.8 high under CWE-285, with confidentiality, integrity, and availability impacts.
Likely exposure
Exposure is likely on WordPress sites running Fancy Product Designer up to and including 4.6.9, especially sites with subscriber accounts, customer logins, memberships, or open registration.
Exploitation context
The supplied sources do not show KEV listing or confirmed active exploitation. The weakness is still serious because it needs only low-privileged authenticated access and can alter security-sensitive site options.
Researcher notes
Evidence names fpd_update_options and missing capability checks, but the bundle does not include patch diff, proof of exploitation, or exact fixed release. Validate using version inventory, vendor advisory review, and configuration audit rather than offensive reproduction.
Mitigation direction
- Check vendor and Wordfence guidance for the fixed version, then update the plugin.
- Disable open registration until the plugin is remediated or exposure is confirmed absent.
- Limit subscriber-level account creation and remove unnecessary low-privileged accounts.
- Review WordPress default role and administrator accounts for unauthorized changes.
- Restore unexpected option changes from known-good backups where needed.
Validation and detection
- Inventory all WordPress sites for Fancy Product Designer plugin versions.
- Confirm no deployed instance is running version 4.6.9 or earlier.
- Review the WordPress default_role option for unexpected administrator configuration.
- Audit administrator accounts created after the exposure window began.
- Check plugin change logs or vendor notes to confirm the authorization fix.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-285: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupPrivilege behavior lookup
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2021-4334 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
8.8HighVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source materials
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Authorization
Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
