CVE-2025-12570 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, discovered in the Fancy Product Designer plugin for WordPress developed by radykal. This vulnerability affects all versions up to and including 6.4.8. The root cause is insufficient sanitization and escaping of user-supplied SVG files uploaded via the plugin's data-to-image.php and pdf-to-image.php scripts. An attacker can exploit this by uploading a crafted SVG file containing malicious JavaScript code. Because the plugin stores these SVG files and serves them to users, the malicious script executes in the context of any user who views the infected SVG, enabling attacks such as session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS v3.1 score of 7.2 reflects a high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to the impact on other components. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. Given the plugin’s popularity in WordPress e-commerce sites, this vulnerability poses a significant risk to website integrity and user security.

The impact of CVE-2025-12570 is substantial for organizations using the Fancy Product Designer plugin, particularly e-commerce and product customization websites. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of site visitors, potentially leading to theft of session cookies, user credentials, or other sensitive data. This can facilitate account takeover, unauthorized transactions, or further malware distribution. The vulnerability compromises the confidentiality and integrity of user data and can damage the reputation and trustworthiness of affected websites. Although availability is not directly impacted, the resulting security incidents could lead to downtime or remediation costs. The fact that exploitation requires no authentication or user interaction increases the risk of widespread automated attacks. Organizations may also face regulatory and compliance consequences if user data is compromised. The scope of affected systems is broad due to the plugin’s widespread use in WordPress environments worldwide.

To mitigate CVE-2025-12570, organizations should immediately disable SVG file uploads in the Fancy Product Designer plugin until a vendor patch is available. Implement strict server-side validation and sanitization of all uploaded SVG files to remove or neutralize embedded scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS payloads. Monitor web server logs and application behavior for unusual SVG upload patterns or script execution attempts. Consider using Web Application Firewalls (WAFs) with rules targeting SVG-based XSS attacks. Regularly update the plugin once the vendor releases a security patch addressing this vulnerability. Additionally, educate site administrators about the risks of allowing SVG uploads and enforce the principle of least privilege for file upload functionalities. Conduct security audits and penetration testing focused on file upload features to detect similar vulnerabilities proactively.