The Fancy Product Designer plugin for WordPress, developed by radykal, suffers from an information disclosure vulnerability identified as CVE-2025-13439. This vulnerability affects all versions up to and including 6.4.8. The root cause is insufficient input validation on the 'url' parameter within the 'fpd_custom_uplod_file' AJAX action. Specifically, the parameter is passed directly to the PHP getimagesize function without sanitization or validation, allowing attackers to supply crafted input that causes the server to process arbitrary file paths. This leads to the exposure of sensitive server files, including wp-config.php, which contains database credentials and other critical configuration data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). No known exploits have been reported in the wild yet. The vulnerability allows unauthenticated remote attackers to read arbitrary files, which can facilitate further attacks such as database compromise or site takeover if sensitive credentials are leaked. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

This vulnerability can have serious consequences for organizations running WordPress sites with the Fancy Product Designer plugin. Exposure of sensitive files like wp-config.php can lead to leakage of database credentials, API keys, and other secrets, enabling attackers to escalate privileges, access databases, or compromise the entire website. This can result in data breaches, defacement, loss of customer trust, and potential regulatory penalties. Since the vulnerability is exploitable remotely without authentication or user interaction, it significantly lowers the barrier for attackers. The high confidentiality impact combined with the widespread use of WordPress and this plugin in e-commerce and business websites increases the risk of targeted attacks. Although the attack complexity is high, skilled attackers can still exploit this vulnerability to gain critical information, making it a substantial threat to affected organizations worldwide.

1. Immediately update the Fancy Product Designer plugin to a patched version once available from the vendor. 2. In the absence of an official patch, implement web application firewall (WAF) rules to block or sanitize requests containing suspicious 'url' parameters targeting the 'fpd_custom_uplod_file' AJAX action. 3. Restrict access to the AJAX endpoint by IP whitelisting or requiring authentication where feasible. 4. Harden the server by restricting file system permissions to prevent unauthorized file reads by the web server user. 5. Monitor web server logs for unusual requests to the vulnerable AJAX action and signs of attempted exploitation. 6. Consider disabling or removing the Fancy Product Designer plugin if it is not essential. 7. Regularly back up website data and configurations to enable recovery in case of compromise. 8. Educate site administrators on the risks of installing outdated or untrusted plugins and the importance of timely updates.