CVE-2025-6439: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in JMA Plugins WooCommerce Designer Pro
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
AI Analysis
Technical Summary
The WooCommerce Designer Pro plugin for WordPress contains a path traversal vulnerability (CWE-22) in the 'wcdp_save_canvas_design_ajax' function that fails to properly restrict file paths. This flaw enables unauthenticated attackers to delete files in arbitrary directories on the server. The vulnerability is present in all versions up to 1.9.26 and is associated with a CVSS 3.1 score of 9.8, indicating critical severity with network attack vector, no privileges required, and impacts confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to delete any files on the server accessible by the web application user. This can lead to remote code execution if critical files are removed or replaced, data loss, and denial of service due to site unavailability. The vulnerability compromises confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the vulnerable plugin and consider disabling it if possible. Monitor for updates from JMA Plugins and apply patches promptly once available.
CVE-2025-6439: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in JMA Plugins WooCommerce Designer Pro
Description
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WooCommerce Designer Pro plugin for WordPress contains a path traversal vulnerability (CWE-22) in the 'wcdp_save_canvas_design_ajax' function that fails to properly restrict file paths. This flaw enables unauthenticated attackers to delete files in arbitrary directories on the server. The vulnerability is present in all versions up to 1.9.26 and is associated with a CVSS 3.1 score of 9.8, indicating critical severity with network attack vector, no privileges required, and impacts confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to delete any files on the server accessible by the web application user. This can lead to remote code execution if critical files are removed or replaced, data loss, and denial of service due to site unavailability. The vulnerability compromises confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the vulnerable plugin and consider disabling it if possible. Monitor for updates from JMA Plugins and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-20T17:00:53.008Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ea263d5baaa01f1ca0ffa1
Added to database: 10/11/2025, 9:41:17 AM
Last enriched: 4/9/2026, 5:44:34 PM
Last updated: 5/10/2026, 12:16:23 AM
Views: 475
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.