CVE-2025-13231

Name of the Vulnerable Software and Affected Versions The Fancy Product Designer versions prior to 6.4.9

Description The software is susceptible to a Server-Side Request Forgery (SSRF) issue. This is caused by a time-of-check/time-of-use (TOCTOU) race condition within the 'url' parameter of the fpd custom uplod file AJAX action. The validation process uses getimagesize() followed by file get contents() on the same URL, creating a timing gap that allows attackers to redirect requests to arbitrary internal or external URLs.

Recommendations Update The Fancy Product Designer plugin to version 6.4.9 or later.