Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total13
Critical1
High4
Medium8
Reset
Showing 1-13 of 13 records
Threat Entry Updated 2026-01-16

CVE-2025-15526 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Fancy Product Designer

CVE-2025-15526

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-12-16

CVE-2025-13231 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external…

PLUGIN Fancy Product Designer

CVE-2025-13231

MEDIUM CVSS 6.5 2025-12-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-22

CVE-2025-13439 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.

PLUGIN Fancy Product Designer

CVE-2025-13439

MEDIUM CVSS 5.9 2025-12-16
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-12570 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Fancy Product Designer

CVE-2025-12570

HIGH CVSS 7.2 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-0904 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Fancy Product Designer

CVE-2024-0904

MEDIUM CVSS 5.9 2024-05-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-0905 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users

PLUGIN Fancy Product Designer

CVE-2024-0905

MEDIUM CVSS 6.3 2024-04-26
Open Full Technical Breakdown
Threat Entry Updated 2025-04-07

CVE-2024-0902 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Fancy Product Designer

CVE-2024-0902

MEDIUM CVSS 4.8 2024-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2024-0365 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.

PLUGIN Fancy Product Designer

CVE-2024-0365

MEDIUM CVSS 6.5 2024-03-18
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4334 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.

PLUGIN Fancy Product Designer

CVE-2021-4334

HIGH CVSS 8.8 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4335 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account.

PLUGIN Fancy Product Designer

CVE-2021-4335

MEDIUM CVSS 6.3 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-4096 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.

PLUGIN Fancy Product Designer

CVE-2021-4096

HIGH CVSS 8.8 2022-04-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-4134 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

PLUGIN Fancy Product Designer

CVE-2021-4134

HIGH CVSS 7.2 2022-02-16
Open Full Technical Breakdown
Scroll to top