CVE-2025-13231
published 2025-12-16CVE-2025-13231: The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a…
PriorityP338medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.15%
4.7th percentile
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radykal | fancy_product_designer | <= 6.4.8 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-99r7-fr8x-2vr9: The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6
ghsa_unreviewed·2025-12-16·CVSS 6.5
CVE-2025-13439 [MEDIUM] CWE-200 GHSA-99r7-fr8x-2vr9: The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
GHSA
GHSA-hxc6-w4hr-c74r: The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6
ghsa_unreviewed·2025-12-16
CVE-2025-13231 [MEDIUM] CWE-362 GHSA-hxc6-w4hr-c74r: The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch.
No detection rules found.
No public exploits indexed.
2025-12-16
Published