Description
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Now
AI Analysis

Impact

The Fancy Product Designer plugin for WordPress suffers from a time‑of‑check/time‑of‑use race condition in the fpd_custom_uplod_file AJAX action. During validation the plugin calls getimagesize() on the supplied URL, then later fetches the same URL with file_get_contents(). An unauthenticated attacker can exploit the timing window by serving a valid image during validation, then changing the response to redirect to an arbitrary internal or external URL during the actual fetch. This allows the attacker to make the server consider any specified URL, effectively enabling server‑side request forgery. The weakness represented is a classic race‑condition flaw (CWE‑362).

Affected Systems

Affected vendor: radykal. Product: Fancy Product Designer plugin for WordPress. All releases up to and including 6.4.8 are vulnerable. No other vendors or products are affected based on the available data.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % suggests a low probability of current exploitation in the wild, though the vulnerability can be leveraged by any unauthenticated user. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers need only send a crafted AJAX request to the vulnerable endpoint; no prior authentication is required. If successfully exploited, the server can redirect to various internal or external destinations, potentially exposing sensitive internal networks or facilitating data exfiltration.

Generated by OpenCVE AI on April 21, 2026 at 00:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately upgrade the Fancy Product Designer plugin to a patched release (at least 6.4.9) or the latest available version.
  • If an upgrade cannot be performed before detection, block outbound HTTP/HTTPS traffic from the WordPress instance to untrusted hosts using firewall rules or a proxy to mitigate SSRF attempts.
  • As a short‑term measure, disable or restrict the fpd_custom_upload_file AJAX action until the race condition is resolved, or modify the plugin code to perform validation and retrieval atomically or to reject non‑whitelisted URLs before fetching.

Generated by OpenCVE AI on April 21, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Radykal
Radykal fancy Product Designer
Wordpress
Wordpress wordpress
Vendors & Products Radykal
Radykal fancy Product Designer
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch.
Title Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgery via Race Condition
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Radykal Fancy Product Designer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:53.251Z

Reserved: 2025-11-15T02:26:51.064Z

Link: CVE-2025-13231

cve-icon Vulnrichment

Updated: 2025-12-16T21:35:20.245Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:51.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses