CVE-2025-13231 — Race Condition in Fancy Product Designer

CWE-362 — Race Condition4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 87.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Radykal Fancy Product Designer

Timeline

PublishedDec 16

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by s…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5radykal/fancy_product_designer6.4.8

🔴Vulnerability Details

GHSA

GHSA-hxc6-w4hr-c74r: The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6↗2025-12-16

▶

CVEList

Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgery via Race Condition↗2025-12-16

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13231 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶