Home

Description

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PUBLISHED Reserved 2025-10-31 | Published 2025-12-12 | Updated 2025-12-18 | Assigner Wordfence




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-11-19:Vendor Notified
2025-12-11:Disclosed

Credits

Muhammad Zeeshan finder

Muhammad Hassan finder

References

www.wordfence.com/...-3a82-4f0f-b4ff-a291b0289b7f?source=cve

codecanyon.net/...duct-designer-woocommercewordpress/6318393

cve.org (CVE-2025-12570)

nvd.nist.gov (CVE-2025-12570)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.