CVE-2025-13439

Name of the Vulnerable Software and Affected Versions Fancy Product Designer plugin for WordPress versions prior to 6.4.9

Description The software contains a flaw due to inadequate validation of user-provided input in the url parameter of the 'fpd custom uplod file' AJAX action. This input is directly passed to the getimagesize() function without proper sanitization. While exploitation via PHP filter chains is restricted on PHP 8 and later versions, the issue can be exploited through a TOCTOU race condition or may be directly exploitable on PHP 7.x installations. This allows unauthenticated attackers to read arbitrary sensitive files from the server, such as wp-config.php.

Recommendations Update Fancy Product Designer plugin to version 6.4.9 or later.