Description
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Published: 2025-12-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

The Fancy Product Designer plugin for WordPress is vulnerable to an unauthenticated information disclosure flaw that also allows PHAR deserialization. The issue originates from the 'url' parameter in the 'fpd_custom_uplod_file' AJAX action, which is passed directly into PHP’s getimagesize function without proper sanitization. Because the function reads image metadata, an attacker can cause the server to load arbitrary files, including the sensitive wp-config.php, resulting in exposure of database credentials and other secret data. This flaw does not grant code execution but offers attackers a path to read any file that the web server process can access.

Affected Systems

All releases of the Fancy Product Designer plugin from the vendor radykal up to and including version 6.4.8 are affected. The vulnerability is present in WordPress installations that employ this plugin, allowing unauthenticated web users to trigger the vulnerable AJAX action and read server files. Any site running WordPress with 6.4.8 or earlier is therefore at risk, regardless of whether WooCommerce is also installed.

Risk and Exploitability

The flaw carries a CVSS score of 5.9, indicating a moderate risk severity. The EPSS score is listed as less than 1, implying that the likelihood of exploitation observed in the wild is low, and the issue is not currently catalogued in the CISA KEV list. Attackers can exploit the weakness by sending an unauthenticated HTTP request to the plugin’s AJAX endpoint with a crafted 'url' value, immediately retrieving the contents of arbitrary files without authentication. Because the vulnerability is reported as Data Exposure, the impact remains limited to confidentiality rather than integrity or availability.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fancy Product Designer plugin to a version newer than 6.4.8 that removes the vulnerable AJAX entry point.
  • Restrict access to the 'fpd_custom_uplod_file' AJAX endpoint so that only authenticated administrators can invoke it, or disable the endpoint if it is not needed.
  • Verify that server file permissions isolate sensitive files such as wp-config.php from web access, and configure the web server to disallow PHAR deserialization through shared modules or security policies.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php. The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Title Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure via 'url' Parameter Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Radykal
Radykal fancy Product Designer
Wordpress
Wordpress wordpress
Vendors & Products Radykal
Radykal fancy Product Designer
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Title Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure via 'url' Parameter
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Radykal Fancy Product Designer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:08.967Z

Reserved: 2025-11-19T19:03:47.252Z

Link: CVE-2025-13439

cve-icon Vulnrichment

Updated: 2025-12-16T21:33:43.804Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T08:15:51.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses