CVE-2025-12570 is a stored Cross-Site Scripting vulnerability identified in the radykal Fancy Product Designer plugin for WordPress, affecting all versions up to and including 6.4.8. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of SVG file uploads processed by the data-to-image.php and pdf-to-image.php scripts. These scripts fail to adequately sanitize and escape user-supplied SVG content, allowing an attacker to embed malicious JavaScript payloads within SVG files. When such a crafted SVG file is uploaded and subsequently accessed by any user, the embedded script executes in the victim's browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.2 reflects a high severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to the impact crossing security boundaries. No patches or official fixes have been linked yet, and no active exploitation has been reported. Given the plugin's use in customizing product visuals on WordPress sites, especially in e-commerce and marketing sectors, the vulnerability poses a significant threat to website integrity and user trust.

For European organizations, this vulnerability can lead to significant confidentiality and integrity breaches. Attackers can execute arbitrary scripts in users' browsers, potentially stealing session cookies, login credentials, or other sensitive data. This can facilitate account takeover, fraudulent transactions, or unauthorized access to internal systems if single sign-on or session tokens are compromised. The vulnerability does not directly affect availability but can indirectly cause service disruptions through reputational damage or forced downtime for remediation. E-commerce platforms and marketing websites using the Fancy Product Designer plugin are particularly at risk, as they often handle sensitive customer data and payment information. The exploitation of this vulnerability could undermine customer trust, lead to regulatory non-compliance under GDPR due to data breaches, and result in financial losses. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in high-traffic websites. Organizations may also face legal and compliance repercussions if personal data is compromised.

European organizations should immediately audit their WordPress installations to identify the presence of the Fancy Product Designer plugin and its version. Until an official patch is released, administrators should consider disabling SVG file uploads or restricting upload permissions to trusted users only. Implementing Web Application Firewall (WAF) rules to detect and block malicious SVG payloads can provide an additional layer of defense. Reviewing and hardening file upload handling mechanisms, including validating and sanitizing SVG content server-side, is critical. Monitoring web server logs for unusual upload activity or access patterns to SVG files can help detect exploitation attempts. Organizations should also educate site administrators and developers about the risks of insecure file uploads and ensure timely updates once a patch becomes available. Employing Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of injected scripts. Finally, conducting regular security assessments and penetration tests focused on plugin vulnerabilities will help maintain a secure environment.