Executive Summary
A critical unauthenticated arbitrary file deletion vulnerability has been assigned CVE-2026-9725 in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin. With a CVSS score of 9.1, the flaw allows any unauthenticated remote attacker to delete arbitrary files on the server — including wp-config.php — enabling a complete site takeover without requiring any credentials.
CVSS Score: 9.1 (Critical)
All plugin versions up to and including 2.5.2 are affected. A patched release above 2.5.2 is expected; users should check WPScan and Wordfence Threat Intel for the confirmed fixed version.
Vulnerability Overview
Root Cause
The vulnerability exists in the store_design_data() function, which constructs a filesystem path directly from user-supplied input without adequate path validation. Attackers can supply path traversal sequences (e.g., ../) to escape the intended upload directory and reference arbitrary files accessible to the web server process.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-9725 |
| CVSS Score | 9.1 (Critical) |
| Type | Arbitrary File Deletion via Path Traversal |
| Attack Vector | Network |
| Authentication | None required |
| Affected Function | store_design_data() |
| Plugin Versions | <= 2.5.2 |
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| Printcart Web to Print Product Designer for WooCommerce | <= 2.5.2 | Unpatched — check vendor |
Exploitation Scenario
An unauthenticated remote attacker can send a crafted HTTP request to the endpoint backed by store_design_data(), supplying a path traversal payload. The most severe scenario is the deletion of wp-config.php:
1. Attacker sends crafted POST request with ../../../wp-config.php payload
2. store_design_data() constructs filesystem path without canonicalization
3. wp-config.php is deleted from the WordPress root
4. WordPress reverts to install state — attacker completes setup wizard
5. Full database and administrative control obtainedOther high-value targets include:
.htaccess(removes access controls)- WordPress core files (breaks site availability)
- Any file readable/writable by the web server process
Why This Is Especially Dangerous
The unauthenticated nature of the vulnerability means no valid WordPress user account is needed — any anonymous user can trigger it. WooCommerce stores run on public-facing infrastructure, making them trivially discoverable and reachable targets.
This vulnerability follows the same class as the previously disclosed CVE-2025-10268 (Path Traversal in gallery_image_exists.php in the same plugin), indicating a pattern of insufficient path validation across the codebase.
Remediation
Immediate Actions
- Update or disable the plugin immediately — check WPScan and Wordfence for confirmed patched version
- Audit server file integrity — compare current file hashes against known-good baselines
- Review web server logs for unusual POST requests to WooCommerce plugin endpoints
- Verify
wp-config.phpintegrity and presence - Monitor for unauthorized WordPress reinstall flow — unauthorized access to
/wp-admin/install.phpwould indicate exploitation
Temporary Mitigation
If patching cannot happen immediately:
- Block external access to affected plugin endpoints via WAF or
.htaccessrules - Restrict web server process file permissions to limit blast radius
- Consider placing the WordPress site behind a WAF with virtual patching
Detection
| Signal | Description |
|---|---|
POST requests with ../ in parameters | Path traversal attempt |
Missing wp-config.php | Possible successful exploitation |
Unexpected access to /wp-admin/install.php | Post-exploitation setup attempt |
| Unusual file system changes in WordPress root | Active exploitation indicator |
Key Takeaways
- CVSS 9.1 — Unauthenticated path traversal enabling arbitrary file deletion
- All versions <= 2.5.2 are affected; update immediately when a patch is released
- wp-config.php deletion is the most severe exploitation path — enables full site takeover
- Pattern of path traversal flaws in this plugin; full code audit recommended post-patching
- No authentication required — any anonymous user can trigger exploitation