CVE-2025-13439: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in radykal Fancy Product Designer
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
AI Analysis
Technical Summary
The Fancy Product Designer plugin for WordPress suffers from an information disclosure vulnerability (CWE-200) caused by insufficient validation of user input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action. This input is used directly in the getimagesize function without sanitization, allowing unauthenticated attackers to read arbitrary files on the server, including sensitive configuration files such as wp-config.php. The vulnerability affects all versions up to and including 6.4.8. The CVSS v3.1 base score is 5.9, reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact.
Potential Impact
Successful exploitation allows unauthenticated attackers to read sensitive files on the server, potentially exposing critical configuration data such as database credentials contained in wp-config.php. This can lead to further compromise of the WordPress installation or underlying infrastructure. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the vulnerable AJAX action if possible or implement web application firewall (WAF) rules to block malicious requests targeting the 'url' parameter. Monitor for updates from the vendor (radykal) regarding patches or official mitigations.
CVE-2025-13439: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in radykal Fancy Product Designer
Description
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Fancy Product Designer plugin for WordPress suffers from an information disclosure vulnerability (CWE-200) caused by insufficient validation of user input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action. This input is used directly in the getimagesize function without sanitization, allowing unauthenticated attackers to read arbitrary files on the server, including sensitive configuration files such as wp-config.php. The vulnerability affects all versions up to and including 6.4.8. The CVSS v3.1 base score is 5.9, reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact.
Potential Impact
Successful exploitation allows unauthenticated attackers to read sensitive files on the server, potentially exposing critical configuration data such as database credentials contained in wp-config.php. This can lead to further compromise of the WordPress installation or underlying infrastructure. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the vulnerable AJAX action if possible or implement web application firewall (WAF) rules to block malicious requests targeting the 'url' parameter. Monitor for updates from the vendor (radykal) regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-19T19:03:47.252Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69410b259bfd1ab9ba9ec084
Added to database: 12/16/2025, 7:32:53 AM
Last enriched: 4/9/2026, 4:30:28 PM
Last updated: 5/9/2026, 5:05:20 PM
Views: 209
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.