Stored Cross-Site Scripting Vulnerability in Fancy Product Designer for WordPress
CVE-2025-12570

7.2HIGH

Key Information:

Vendor: WordPress
Status: Fancy Product Designer
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-12570?

The Fancy Product Designer plugin for WordPress is subject to a Stored Cross-Site Scripting vulnerability when handling SVG file uploads. This issue arises from inadequate input sanitization and output escaping in crucial files, namely data-to-image.php and pdf-to-image.php. The flaw allows unauthenticated attackers to inject arbitrary scripts into web pages, potentially executing malicious code every time users access the compromised SVG files. Users of the affected versions should consider immediate updates and implementing security measures to mitigate potential exploitation.

Affected Version(s)

Fancy Product Designer * <= 6.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/fancy-product-designer-woocom...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Oct 31, 2025

Credit

Muhammad Zeeshan

Muhammad Hassan

JSON