FKIE_CVE-2026-9725
Vulnerability from fkie_nvd - Published: 2026-07-03 06:16 - Updated: 2026-07-03 06:16
Severity
Summary
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() — which does not strip path traversal sequences — and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Printcart Web to Print Product Designer for WooCommerce",
"vendor": "printcart",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"source": "security@wordfence.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied \u0027nbd_item_key\u0027 POST parameter sanitized only with sanitize_text_field() \u2014 which does not strip path traversal sequences \u2014 and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP\u0027s rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"id": "CVE-2026-9725",
"lastModified": "2026-07-03T06:16:23.263",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2026-07-03T06:16:23.263",
"references": [
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L214"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L3246"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L3698"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/changeset/3593521/printcart-integration/trunk/includes/class.nbdesigner.php"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fprintcart-integration/tags/2.5.2\u0026new_path=%2Fprintcart-integration/tags/2.5.3"
},
{
"source": "security@wordfence.com",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bb962bd-9b23-4820-885e-d8095250c3c7?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…