CVE-2025-12570 β€” Cross-site Scripting in Fancy Product Designer

CWE-79 β€” Cross-site Scripting4 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.2%
top 56.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Radykal Fancy Product Designer
Timeline
PublishedDec 12

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages1 packages

β–ΆCVEListV5radykal/fancy_product_designer6.4.8

πŸ”΄Vulnerability Details

2
GHSA
GHSA-fqrr-ccrj-cm5x: The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including↗2025-12-12
β–Ά
CVEList
Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload↗2025-12-12
β–Ά

πŸ•΅οΈThreat Intelligence

1
Wiz
CVE-2025-12570 Impact, Exploitability, and Mitigation Steps | Wiz↗
β–Ά
CVE-2025-12570 β€” Cross-site Scripting | cvebase