Description
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
Published: 2025-10-11
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WooCommerce Designer Pro plugin contains an insufficient file path validation flaw in the wcdp_save_canvas_design_ajax function that permits arbitrary file deletion on the server. This weakness can lead to remote code execution, data loss, or complete site outage by enabling an attacker to delete critical files or replace them with malicious payloads. The vulnerability is classified as CWE-22.

Affected Systems

All versions of the WooCommerce Designer Pro plugin by JMA Plugins up to and including 1.9.26 are affected. The plugin is used by the Pricom – Printing Company & Design Services WordPress theme on affected sites.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is critical. The EPSS score of 1% indicates a modest likelihood of exploitation, yet the vulnerability is still actionable. It has not been listed in the CISA KEV catalog, but the remote nature of the attack vector—unauthenticated HTTP requests to the plugin’s AJAX endpoint—makes it a practical threat.

Generated by OpenCVE AI on April 21, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WooCommerce Designer Pro to the latest version (1.9.27 or newer).
  • If an immediate upgrade is impossible, completely disable or uninstall the plugin to eliminate the attack surface.
  • As a temporary measure, adjust server file permissions to prevent the web process from deleting arbitrary files, and block traffic to the wcdp_save_canvas_design_ajax endpoint via a web‑application firewall or .htaccess rules.

Generated by OpenCVE AI on April 21, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Jma Plugins
Jma Plugins woocommerce Designer Pro
Wordpress
Wordpress wordpress
Vendors & Products Jma Plugins
Jma Plugins woocommerce Designer Pro
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
Title WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jma Plugins Woocommerce Designer Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:24.911Z

Reserved: 2025-06-20T17:00:53.008Z

Link: CVE-2025-6439

cve-icon Vulnrichment

Updated: 2025-10-14T20:13:24.958Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:43.653

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses