CVE-2025-15526
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fancy_product_designer | fancy_product_designer | to 6.4.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Full Path Disclosure in the Fancy Product Designer plugin for WordPress (up to version 6.4.8). It occurs because of improper error handling in the PDF upload functionality, which causes error messages to reveal server filesystem paths and stack traces. This information disclosure can be exploited by unauthenticated attackers to learn the full path of the web application, potentially aiding further attacks. However, the disclosed information alone is not sufficient to cause damage without another vulnerability being present.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can obtain the full server path of the web application, which can help them in planning and executing additional attacks against the website. While the information disclosed does not directly cause harm, it can be used in combination with other vulnerabilities to compromise the affected website.