CVE-2025-13439
Unknown Unknown - Not Provided
Information Disclosure in Fancy Product Designer Plugin via Unsanitized Input

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: Wordfence

Description
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13439
EUVD
EUVD-2025-203524
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fancy_product_designer fancy_product_designer *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Fancy Product Designer plugin for WordPress has an Information Disclosure vulnerability in versions up to 6.4.8. It occurs because the plugin does not properly validate user input in the 'url' parameter of the fpd_custom_uplod_file AJAX action. This input is passed directly to the getimagesize() function without sanitization. On PHP 7.x, this can be exploited directly by unauthenticated attackers to read arbitrary sensitive files on the server, including wp-config.php. On PHP 8+, direct exploitation is blocked due to a separate bug, but attackers can still exploit a TOCTOU race condition (CVE-2025-13231) in the same plugin to achieve the same effect.

Impact Analysis

This vulnerability allows unauthenticated attackers to read arbitrary sensitive files from the server hosting the Fancy Product Designer plugin. This can lead to exposure of critical configuration files such as wp-config.php, which may contain database credentials and other sensitive information. Such information disclosure can compromise the security of the entire WordPress site and its data.

Mitigation Strategies

Update the Fancy Product Designer plugin to version 6.5.0 or later, as this version includes improved security for uploads addressing the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart