CVE-2025-13439
Information Disclosure in Fancy Product Designer Plugin via Unsanitized Input
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fancy_product_designer | fancy_product_designer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fancy Product Designer plugin for WordPress has an Information Disclosure vulnerability in versions up to 6.4.8. It occurs because the plugin does not properly validate user input in the 'url' parameter of the fpd_custom_uplod_file AJAX action. This input is passed directly to the getimagesize() function without sanitization. On PHP 7.x, this can be exploited directly by unauthenticated attackers to read arbitrary sensitive files on the server, including wp-config.php. On PHP 8+, direct exploitation is blocked due to a separate bug, but attackers can still exploit a TOCTOU race condition (CVE-2025-13231) in the same plugin to achieve the same effect.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to read arbitrary sensitive files from the server hosting the Fancy Product Designer plugin. This can lead to exposure of critical configuration files such as wp-config.php, which may contain database credentials and other sensitive information. Such information disclosure can compromise the security of the entire WordPress site and its data.
What immediate steps should I take to mitigate this vulnerability?
Update the Fancy Product Designer plugin to version 6.5.0 or later, as this version includes improved security for uploads addressing the vulnerability. [2]