CVE-2025-13439

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the url parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.