PT-2025-51468 · WordPress · Fancy Product Designer
Muhammad Zeeshan
·
Published
2025-12-16
·
Updated
2025-12-17
·
CVE-2025-13231
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Fancy Product Designer versions prior to 6.4.9
Description
The software is susceptible to a Server-Side Request Forgery (SSRF) issue. This is caused by a time-of-check/time-of-use (TOCTOU) race condition within the 'url' parameter of the
fpd custom uplod file AJAX action. The validation process uses getimagesize() followed by file get contents() on the same URL, creating a timing gap that allows attackers to redirect requests to arbitrary internal or external URLs.Recommendations
Update The Fancy Product Designer plugin to version 6.4.9 or later.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fancy Product Designer