CVE-2025-13439 β€” Sensitive Information Exposure in Fancy Product Designer

CWE-200 β€” Sensitive Information Exposure4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 88.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Radykal Fancy Product Designer
Timeline
PublishedDec 16

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

β–ΆCVEListV5radykal/fancy_product_designer6.4.8

πŸ”΄Vulnerability Details

2
GHSA
GHSA-99r7-fr8x-2vr9: The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6β†—2025-12-16
β–Ά
CVEList
Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter↗2025-12-16
β–Ά

πŸ•΅οΈThreat Intelligence

1
Wiz
CVE-2025-13439 Impact, Exploitability, and Mitigation Steps | Wiz↗
β–Ά
CVE-2025-13439 β€” Sensitive Information Exposure | cvebase