Fancy Product Designer WordPress Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Fancy Product Designer plugin for WordPress, affecting all versions through 6.4.8. The vulnerability arises from a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin initially validates the URL using getimagesize(), but during the subsequent retrieval with file_get_contents(), an attacker can exploit the timing gap. By first serving a valid image, the attacker can then redirect to arbitrary internal or external URLs during the actual fetch, potentially leading to unauthorized access or information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized SSRF attacks, where an attacker can manipulate server-side requests to access internal resources or external services, potentially leading to further exploitation or information disclosure.

Remediation

Users are advised to update the Fancy Product Designer WordPress plugin to version 6.5.0 or later.