Information Disclosure Vulnerability in Fancy Product Designer Plugin for WordPress
CVE-2025-13439

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Fancy Product Designer
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-13439?

The Fancy Product Designer plugin for WordPress is susceptible to an information disclosure vulnerability due to inadequate validation of user-input within the 'url' parameter of the fpd_custom_upload_file AJAX action. This vulnerability permits unauthenticated attackers to potentially access sensitive files, including the configuration file wp-config.php, by exploiting the getimagesize() function without proper sanitization. Although PHP 8+ mitigates direct exploitation via PHP filter chains, risks remain in PHP 7.x environments and can be exacerbated by a time-of-check to time-of-use (TOCTOU) race condition, which is also an identified issue within this plugin.

Affected Version(s)

Fancy Product Designer * <= 6.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://support.fancyproductdesigner.com/support/discussi...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Nov 19, 2025

Credit

Muhammad Zeeshan

JSON