Skip to main content

Printcart Product Designer CVE-2026-9725

| EUVDEUVD-2026-41488 CRITICAL
Path Traversal (CWE-22)
2026-07-03 Wordfence GHSA-7hpp-w2wq-4w79
9.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Nonce is freely obtainable by anonymous users so PR:N and AC:L hold; arbitrary file deletion gives high integrity and availability impact with no confidentiality disclosure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:47 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
CRITICAL 9.1

DescriptionCVE.org

The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() - which does not strip path traversal sequences - and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fetch nonce from nbd_check_use_logged_in
Delivery
Craft POST to nbd_save_customer_design
Exploit
Inject traversal in nbd_item_key
Execution
Path escapes design directory
Persist
delete_folder()/rename() removes target file
Impact
Site disruption or RCE setup

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable Printcart Web to Print Product Designer plugin (<= 2.5.2) is installed and active on the WordPress site; the attacker sends a POST to the nbd_save_customer_design AJAX action with a traversal payload in the nbd_item_key parameter after obtaining the nonce from the nbd_check_use_logged_in endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals align toward genuine, though not yet confirmed-exploited, risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An anonymous attacker first calls the nbd_check_use_logged_in endpoint to harvest a valid nonce for the nbd_save_customer_design action, then sends a crafted POST request setting nbd_item_key to a path-traversal value such as '../../../../wp-config.php'. Because sanitize_text_field() leaves the traversal intact, the plugin's delete_folder()/rename() call removes a critical file, disrupting the site or setting up conditions for further compromise. …
Remediation Vendor-released patch: update the plugin to version 2.5.3, which is the first fixed release per the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?old_path=%2Fprintcart-integration/tags/2.5.2&new_path=%2Fprintcart-integration/tags/2.5.3); review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5bb962bd-9b23-4820-885e-d8095250c3c7?source=cve) for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress sites using Printcart plugin and document installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy