SYS::ONLINE
Wasteland.
Briefs1095
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-9725 2026-07-03

Printcart WooCommerce Plugin Hit by Critical Unauthenticated File Deletion Flaw (CVE-2026-9725)

"A critical path-traversal flaw in the Printcart Web to Print Product Designer for WooCommerce plugin lets unauthenticated attackers delete arbitrary files on affected WordPress sites, potentially leading to remote code…"

A critical path-traversal flaw in the Printcart Web to Print Product Designer for WooCommerce plugin lets unauthenticated attackers delete arbitrary files on affected WordPress sites, potentially leading to remote code execution.

What Is It

CVE-2026-9725 is an Arbitrary File Deletion vulnerability (CWE-22, path traversal) in the Printcart Web to Print Product Designer for WooCommerce plugin for WordPress. The flaw lives in the store_design_data() function, which builds a filesystem path from the user-supplied nbd_item_key POST parameter. That value is sanitized only with sanitize_text_field(), which does not strip path traversal sequences, and is then passed directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users through the nbd_check_use_logged_in endpoint, removing the only barrier to abuse.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.1 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. It is network-exploitable, requires low attack complexity, and needs no privileges or user interaction. Unauthenticated attackers can delete arbitrary files on the server, which, as the advisory notes, may make remote code execution possible. Impact to integrity and availability is rated HIGH.

What's Vulnerable

Patch Status

The vulnerability is present through version 2.5.2. Wordfence's reference set points to a fix in the changeset moving from tag 2.5.2 to 2.5.3, indicating version 2.5.3 as the remediated release. Administrators running affected versions should update to the patched release. No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed by KEV at this time.

Sources