Server-Side Request Forgery in Fancy Product Designer Plugin for WordPress
CVE-2025-13231

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Fancy Product Designer
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-13231?

The Fancy Product Designer plugin for WordPress suffers from a Server-Side Request Forgery vulnerability due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter during the execution of the fpd_custom_uplod_file AJAX action. This vulnerability enables unauthenticated attackers to exploit the gap in URL validation timing, allowing them to first provide a valid image during the preliminary validation check with getimagesize(), which is then followed by a potential redirect to arbitrary internal or external URLs using file_get_contents(). This sequence of actions exposes WordPress sites utilizing this plugin to significant security risks.

Affected Version(s)

Fancy Product Designer * <= 6.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://support.fancyproductdesigner.com/support/discussi...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Nov 15, 2025

Credit

Muhammad Zeeshan

JSON