Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Nonce is freely obtainable by anonymous users so PR:N and AC:L hold; arbitrary file deletion gives high integrity and availability impact with no confidentiality disclosure.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() - which does not strip path traversal sequences - and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.
Articles & Coverage 2
AnalysisAI
Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable Printcart Web to Print Product Designer plugin (<= 2.5.2) is installed and active on the WordPress site; the attacker sends a POST to the nbd_save_customer_design AJAX action with a traversal payload in the nbd_item_key parameter after obtaining the nonce from the nbd_check_use_logged_in endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals align toward genuine, though not yet confirmed-exploited, risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An anonymous attacker first calls the nbd_check_use_logged_in endpoint to harvest a valid nonce for the nbd_save_customer_design action, then sends a crafted POST request setting nbd_item_key to a path-traversal value such as '../../../../wp-config.php'. Because sanitize_text_field() leaves the traversal intact, the plugin's delete_folder()/rename() call removes a critical file, disrupting the site or setting up conditions for further compromise. … |
| Remediation | Vendor-released patch: update the plugin to version 2.5.3, which is the first fixed release per the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?old_path=%2Fprintcart-integration/tags/2.5.2&new_path=%2Fprintcart-integration/tags/2.5.3); review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5bb962bd-9b23-4820-885e-d8095250c3c7?source=cve) for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress sites using Printcart plugin and document installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41488
GHSA-7hpp-w2wq-4w79