CVE-2025-13439 (CNNVD-202512-3100)
中文标题:
WordPress plugin Fancy Product Designer 信息泄露漏洞
英文标题:
Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure via 'url' Parameter
漏洞描述
中文描述:
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Fancy Product Designer 6.4.8及之前版本存在信息泄露漏洞,该漏洞源于用户输入验证不足,可能导致信息泄露。
英文描述:
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| radykal | Fancy Product Designer | - | ≤ 6.4.8 | - |
cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-13439 |
2025-12-19 03:24:33 | 2026-01-12 02:10:58 |
| NVD | nvd_CVE-2025-13439 |
2025-12-17 03:00:07 | 2026-01-12 02:27:28 |
| CNNVD | cnnvd_CNNVD-202512-3100 |
2026-01-26 02:10:03 | 2026-01-25 18:11:37 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 信息泄露
- cnnvd_id: 未提取 -> CNNVD-202512-3100
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']