GHSA-7HPP-W2WQ-4W79
Vulnerability from github – Published: 2026-07-03 06:32 – Updated: 2026-07-03 06:32The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() — which does not strip path traversal sequences — and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.
{
"affected": [],
"aliases": [
"CVE-2026-9725"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T06:16:23Z",
"severity": "CRITICAL"
},
"details": "The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied \u0027nbd_item_key\u0027 POST parameter sanitized only with sanitize_text_field() \u2014 which does not strip path traversal sequences \u2014 and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP\u0027s rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site\u0027s server which may make remote code execution possible.",
"id": "GHSA-7hpp-w2wq-4w79",
"modified": "2026-07-03T06:32:07Z",
"published": "2026-07-03T06:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9725"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L214"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L3246"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/printcart-integration/tags/2.4.8/includes/class.nbdesigner.php#L3698"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3593521/printcart-integration/trunk/includes/class.nbdesigner.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fprintcart-integration/tags/2.5.2\u0026new_path=%2Fprintcart-integration/tags/2.5.3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bb962bd-9b23-4820-885e-d8095250c3c7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.