CVE-2025-6439

CRITICAL

WooCommerce Designer Pro <1.9.26 - Path Traversal

Title source: llm

Description

The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/407a0bc3-2775-4a34-9817-924bf94a4f94?source=cve

Scores

CVSS v3 9.8

EPSS 0.0074

EPSS Percentile 49.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

JMA Plugins/WooCommerce Designer Pro < 1.9.26

Published Oct 11, 2025

Tracked Since Feb 18, 2026