Skip to main content

Printcart WooCommerce CVE-2025-10268

| EUVDEUVD-2025-210347 MEDIUM
2026-06-26 WPScan GHSA-mm7w-7c83-99xv
5.3
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated endpoint with no complexity barrier warrants AV:N/AC:L/PR:N/UI:N; impact is directory listing only, so C:L with I:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 26, 2026 - 13:23 vuln.today
CVSS changed
Jun 26, 2026 - 13:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 26, 2026 - 06:00 cve.org
MEDIUM 5.3
CVE Published
Jun 26, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server.

AnalysisAI

Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.

Technical ContextAI

The affected product is a WordPress plugin providing web-to-print product design functionality for WooCommerce stores, identified by CPE cpe:2.3:a:unknown:printcart_web_to_print_product_designer_for_woocommerce:*:*:*:*:*:*:*:*. The vulnerability class is path traversal (CWE-22 is not formally assigned in the input data, but the description unambiguously describes this class), which occurs when user-supplied input used to construct filesystem paths is not sanitized against directory traversal sequences such as '../'. The plugin likely exposes an endpoint that accepts a path or filename parameter and returns filesystem content without validating that the resolved path remains within an intended root directory. The impact observed is directory listing - not file content retrieval - suggesting the endpoint may invoke a directory enumeration function rather than a direct file read, though directory listings themselves can expose sensitive path structures including configuration files, backup archives, or credential files that facilitate chained attacks.

RemediationAI

No vendor-released patch has been identified at time of analysis - the affected version range extends through 2.4.8 with no confirmed fix version in any available source (WPScan, NVD, VulDB, or EUVD). The primary recommended action is to deactivate and remove the Printcart Web to Print Product Designer for WooCommerce plugin immediately until a patched version is released and confirmed by the vendor. As a compensating control, deploy WAF rules that block requests containing path traversal sequences (e.g., '../', '%2e%2e%2f', URL-encoded variants) targeting this plugin's endpoints; note this may affect legitimate plugin functionality. Additionally, configure web server directory listing to be disabled at the server level (e.g., 'Options -Indexes' in Apache, 'autoindex off' in nginx) to reduce exposure even if traversal succeeds. Monitor web server access logs for traversal-pattern requests to plugin endpoints. Check the WPScan advisory at https://wpscan.com/vulnerability/0cff6fb3-339b-4eb6-969b-b3a43613cc71/ and VulDB entry at https://vuldb.com/vuln/374124 for patch availability updates.

Share

CVE-2025-10268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy