CVE-2025-15526 - Vulnerability Details

- Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Published: 2026-01-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Fancy Product Designer plugin for WordPress contains improper error handling in its PDF upload feature, exposing full server filesystem paths and stack traces in error messages. This allows unauthenticated attackers to learn the underlying directory structure of the web application, which can aid in launching additional attacks but is not useful on its own to compromise the site.

Affected Systems

WordPress sites running the Fancy Product Designer plugin by Radykal, all versions up to and including 6.4.8.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3 and an EPSS of less than 1%, indicating a moderate severity but a very low probability that it is being actively exploited today. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated request to the PDF upload endpoint with a crafted 'pdf' parameter, which causes the plugin to return filesystem paths in the error response. While the information disclosed does not directly lead to a compromise, it provides an attacker with valuable context that can be used to target other, more severe weaknesses.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

radykal

Fancy Product Designer

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.4.8

No data.

Vendor	Product	Confidence	Versions
Radykal	Fancy Product Designer	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fancy Product Designer plugin to the latest available version, which fixes the error-handling issue.
If an immediate upgrade is not possible, restrict access to the PDF upload endpoint or disable the feature entirely to prevent error disclosure.
Keep WordPress and WooCommerce core, plugins, and the theme up to date to avoid other undisclosed vulnerabilities that could leverage the disclosed path information.

Generated by OpenCVE AI on April 21, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://support.fancyproductdesigner.com/support/discussions/topics/13000036024
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve

History

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Radykal Radykal fancy Product Designer Wordpress Wordpress wordpress
Vendors & Products		Radykal Radykal fancy Product Designer Wordpress Wordpress wordpress
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Title		Fancy Product Designer \| WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter
Weaknesses		CWE-209
References		https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Radykal Fancy Product Designer

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-16T04:44:34.337Z

Updated: 2026-04-08T17:11:13.686Z

Reserved: 2026-01-15T16:36:27.098Z

Link: CVE-2025-15526

Vulnrichment

Updated: 2026-01-16T14:02:33.579Z

NVD

Status : Deferred

Published: 2026-01-16T05:16:13.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15526

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses

CWE-209

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object