Which Fancy Product Designer CVEs are tracked?

Fancy Product Designer tracked CVEs include CVE-2024-51919, CVE-2021-24370, CVE-2024-0365, CVE-2021-4334, and CVE-2021-4096.

How many Fancy Product Designer vulnerabilities have patch guidance?

16 of 16 tracked Fancy Product Designer records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 16 known issues Latest disclosed Dec 15, 2025

Fancy Product Designer Vulnerabilities

Review known vulnerability records for the WordPress plugin Fancy Product Designer (`fancy-product-designer`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13439, CVE-2025-15526 and CVE-2025-13231, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jan 22, 2026

Priority CVE Quick Links

Fast paths into Fancy Product Designer CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-51919 Critical 6.4.4

CVE-2024-51919 Fancy Product Designer Remote Code Execution

Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload

CVE-2021-24370 Critical 4.6.9

CVE-2021-24370 Fancy Product Designer Remote Code Execution

Fancy Product Designer <= 4.6.8 - Unauthenticated Arbitrary File Upload

CVE-2024-0365 Critical 6.1.5

CVE-2024-0365 Fancy Product Designer SQL Injection

Fancy Product Designer <= 6.1.4 - Authenticated (Admin+) SQL Injection

CVE-2021-4334 High 4.7.0

CVE-2021-4334 Fancy Product Designer Privilege Escalation

Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options

CVE-2021-4096 High 4.7.6

CVE-2021-4096 Fancy Product Designer Arbitrary File Upload

Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload

CVE-2024-51818 High 6.4.4

CVE-2024-51818 Fancy Product Designer SQL Injection

Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection

CVE-2025-12570 High 6.5.0

CVE-2025-12570 Fancy Product Designer File Upload

Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

CVE-2021-4134 High 4.7.5

CVE-2021-4134 Fancy Product Designer SQL Injection

Fancy Product Designer <= 4.7.4 - Admin+ SQL Injection

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Fancy Product Designer so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

16 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

3 critical and 5 high severity findings.

Recent CVEs

CVE-2025-13439, CVE-2025-15526 and CVE-2025-13231

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-13439 Medium Patch path listed

CVE-2025-13439: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient vali...

Published

Dec 15, 2025

Patch Status

6.5.0

Open CVE-2025-13439 Report

CVE-2025-15526 Medium Patch path listed

CVE-2025-15526: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload fu...

Published

Dec 15, 2025

Patch Status

6.5.0

Open CVE-2025-15526 Report

CVE-2025-13231 Medium Patch path listed

CVE-2025-13231: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgery via Race Condition

The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU)...

Published

Dec 15, 2025

Patch Status

6.5.0

Open CVE-2025-13231 Report

Known Vulnerabilities

Reports for Fancy Product Designer

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13439

CVE-2025-13439: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter

The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX a...

Published

Dec 15, 2025

Patched Release

6.5.0

Affected Versions

Versions up to 6.4.8

Next Step

Update to 6.5.0 or newer if supported.

Open CVE-2025-13439 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-15526

CVE-2025-15526: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This...

Published

Dec 15, 2025

Patched Release

6.5.0

Affected Versions

Versions up to 6.4.8

Next Step

Update to 6.5.0 or newer if supported.

Open CVE-2025-15526 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-13231

CVE-2025-13231: Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgery via Race Condition

The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin...

Published

Dec 15, 2025

Patched Release

6.5.0

Affected Versions

Versions up to 6.4.8

Next Step

Update to 6.5.0 or newer if supported.

Open CVE-2025-13231 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-12570

CVE-2025-12570: Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes...

Published

Dec 11, 2025

Patched Release

6.5.0

Affected Versions

Versions up to 6.4.8

Next Step

Update to 6.5.0 or newer if supported.

Open CVE-2025-12570 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-51919

CVE-2024-51919: Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload

The Fancy Product Designer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.4.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server wh...

Published

Jan 03, 2025

Patched Release

6.4.4

Affected Versions

Versions up to 6.4.3

Next Step

Update to 6.4.4 or newer if supported.

Open CVE-2024-51919 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-51818

CVE-2024-51818: Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection

The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthentica...

Published

Jan 03, 2025

Patched Release

6.4.4

Affected Versions

Versions up to 6.4.3

Next Step

Update to 6.4.4 or newer if supported.

Open CVE-2024-51818 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-0905

CVE-2024-0905: Fancy Product Designer <= 6.1.7 - Reflected Cross-Site Scripting

The Fancy Product Designer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scr...

Published

Apr 26, 2024

Patched Release

6.1.8

Affected Versions

Versions up to 6.1.7

Next Step

Update to 6.1.8 or newer if supported.

Open CVE-2024-0905 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-0904

CVE-2024-0904: Fancy Product Designer < 6.1.81 - Authenticated (Admin+) Stored Cross-Site Scripting via License Field

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 6.1.81 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administra...

Published

Apr 15, 2024

Patched Release

6.1.81

Affected Versions

Versions before 6.1.81

Next Step

Update to 6.1.81 or newer if supported.

Open CVE-2024-0904 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-0902

CVE-2024-0902: Fancy Product Designer < 6.1.81 - Authenticated (Admin+) Stored Cross-Site Scripting via Product Title

Published

Mar 25, 2024

Patched Release

6.1.81

Affected Versions

Versions before 6.1.81

Next Step

Update to 6.1.81 or newer if supported.

Open CVE-2024-0902 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-0365

CVE-2024-0365: Fancy Product Designer <= 6.1.4 - Authenticated (Admin+) SQL Injection

The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenti...

Published

Feb 20, 2024

Patched Release

6.1.5

Affected Versions

Versions up to 6.1.4

Next Step

Update to 6.1.5 or newer if supported.

Open CVE-2024-0365 Report Open CVE Reference

Plugin High Patched: Yes CVE-2021-4334

CVE-2021-4334: Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscri...

Published

Apr 05, 2023

Patched Release

4.7.0

Affected Versions

Versions up to 4.6.9

Next Step

Update to 4.7.0 or newer if supported.

Open CVE-2021-4334 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-4335

CVE-2021-4335: Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attacker...

Published

Apr 05, 2023

Patched Release

4.7.0

Affected Versions

Versions up to 4.6.9

Next Step

Update to 4.7.0 or newer if supported.

Open CVE-2021-4335 Report Open CVE Reference