CVE-2026-9725: Printcart Web to Print Product Designer for WooCommerce <= 2.5.2 - Unauthenticated Arbitrary File Deletion
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() — which does not strip path traversal sequences — and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Arbitrary file deletion vulnerability in the Printcart Web to Print Product Designer plugin for WooCommerce affects all plugin versions up to and including 2.5.2. The flaw is reachable over the network with no authentication required: an attacker obtains a valid nonce from a publicly accessible endpoint and then submits a crafted POST request containing path traversal sequences in the 'nbd_item_key' parameter, causing the server to delete any file the web process can reach. Successful exploitation lets an attacker delete arbitrary files on the server, which can disable the site or enable remote code execution by removing files that enforce security controls. No upstream fix has been published yet; HarborGuard tracks this advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-9725 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against customer images, including custom-built WordPress and WooCommerce images that bundle this plugin. Any image found to include the Printcart plugin at version 2.5.2 or earlier is flagged immediately.
AvailableHarborGuard scores this vulnerability at CVSS 9.1 Critical and weights it against each environment's compliance policy to determine urgency and escalation path. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.
AvailableBecause no upstream fix version has been published, HarborGuard re-examines this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, the advisory status is surfaced continuously so customers can apply compensating controls at the network or application layer while waiting for an official patch.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
- AuthenticationNot required
No account or session is needed; the nonce required by the AJAX action is freely obtainable by any unauthenticated user via the nbd_check_use_logged_in endpoint.
- Victim interactionNot required
The attacker sends crafted POST requests directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is straightforward and condition-free: obtaining the nonce and submitting a path-traversal payload requires no race conditions or special environmental factors.
Blast Radius
- Deletes arbitrary files accessible to the web server process, including WordPress core files, configuration files such as wp-config.php, or plugin and theme files.
- Removing security-critical files (such as those enforcing authentication or access control) can create conditions for follow-on remote code execution.
- Deletion of wp-config.php or similar configuration files can render the entire WordPress site inoperable, causing a full service outage.
- Any file the PHP process has write or unlink permission over is in scope, which on misconfigured servers may extend beyond the web root.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-9725 is active for all customer images containing the Printcart plugin at a vulnerable version. Because no upstream patch exists, HarborGuard monitors the Wordfence and NVD advisory feeds on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment a fix version is published. While no patch is available, customers can apply compensating controls: network-policy rules that restrict public access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) where business requirements permit; WAF rules that block POST parameters containing path traversal sequences such as '../'; and egress filtering to limit what a compromised web process can reach. These compensating-control recommendations are surfaced directly in the HarborGuard finding detail for this CVE so the relevant team can act without waiting for an upstream fix.
- printcart / Printcart Web to Print Product Designer for WooCommerce≤ 2.5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H