Arbitrary File Deletion Vulnerability in Printcart Web to Print Product Designer for WooCommerce
CVE-2026-9725
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-9725?
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is susceptible to an Arbitrary File Deletion vulnerability in versions up to 2.5.2. This issue arises from inadequate path validation in the store_design_data() function, where user-supplied input ('nbd_item_key' POST parameter) is inadequately sanitized using sanitize_text_field(). This failure allows attackers to manipulate file paths, enabling unauthorized deletion of arbitrary files on the server. Furthermore, due to the nonce for the nbd_save_customer_design AJAX action being accessible to unauthenticated users, the threat of unauthorized file deletions is significantly heightened, potentially leading to remote code execution risks.
Affected Version(s)
Printcart Web to Print Product Designer for WooCommerce 0 <= 2.5.2