Skip to main content

Printcart Web To Print Product Designer For Woocommerce

2 CVEs product

Monthly

CVE-2026-9725 CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE Printcart Web To Print Product Designer For Woocommerce
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2025-10268 MEDIUM POC This Month

Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.

WordPress Path Traversal Printcart Web To Print Product Designer For Woocommerce
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.

WordPress Path Traversal Printcart Web To Print Product Designer For Woocommerce
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy