{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12570", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T20:18:32.570Z", "datePublished": "2025-12-12T06:32:57.204Z", "dateUpdated": "2026-04-08T16:44:16.753Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:16.753Z"}, "affected": [{"vendor": "radykal", "product": "Fancy Product Designer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve"}, {"url": "https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Zeeshan"}, {"lang": "en", "type": "finder", "value": "Muhammad Hassan"}], "timeline": [{"time": "2025-11-19T16:29:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T18:11:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T15:49:47.684798Z", "id": "CVE-2025-12570", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T15:50:00.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T15:49:47.684798Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T15:49:57.405Z"}}], "cna": {"title": "Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Zeeshan"}, {"lang": "en", "type": "finder", "value": "Muhammad Hassan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "radykal", "product": "Fancy Product Designer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T16:29:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T18:11:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve"}, {"url": "https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393"}], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:16.753Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12570", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:16.753Z", "dateReserved": "2025-10-31T20:18:32.570Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T06:32:57.204Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "id": "CVE-2025-12570", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T07:15:42.980", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:51:17.357357+00:00", "value": {"mitigation_remediation": ["Upgrade Fancy Product Designer to the latest patch version (6.4.9 or newer).", "If upgrading is unavailable, block or remove the ability to upload SVG files to prevent malicious payloads from being stored.", "Configure the web server to serve SVG files with the X\u2011Content\u2011Type\u2011Options: nosniff header and apply a strict Content Security Policy that blocks inline JavaScript execution."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Fancy Product Designer WordPress plugin version 6.4.8 and all earlier releases, distributed by the vendor radykal. Site administrators running the plugin on WordPress sites must apply an update to eliminate this risk.", "description_and_impact": "The Fancy Product Designer plugin for WordPress permits unauthenticated attackers to upload an SVG file containing malicious JavaScript because data-to-image.php and pdf-to-image.php lack proper sanitization and output escaping. This creates a stored cross\u2011site scripting vulnerability that can inject arbitrary code into any page serving the SVG, potentially compromising the confidentiality and integrity of all site users. The weakness is classified as a classic input validation flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 7.2 indicates moderate\u2011to\u2011high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation today. The vulnerability is not listed in CISA\u2019s KEV catalog. Likely attack paths involve any publicly accessible URL that accepts SVG uploads; an attacker can embed JavaScript that executes in the context of any user who accesses the image, thus gaining the same privileges as that user."}}}}, "created": "2025-12-14T21:17:09.246306+00:00", "updated": "2026-04-22T21:00:06.356712+00:00", "vendors": ["radykal", "radykal$PRODUCT$fancy_product_designer", "wordpress", "wordpress$PRODUCT$wordpress"]}