CVE-2025-13439— WordPress plugin Fancy Product Designer 信息泄露漏洞

Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

信息暴露

WordPress plugin Fancy Product Designer 信息泄露漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Fancy Product Designer 6.4.8及之前版本存在信息泄露漏洞，该漏洞源于用户输入验证不足，可能导致信息泄露。

N/A

N/A