CVE-2025-6440 is a critical security vulnerability identified in the WooCommerce Designer Pro plugin for WordPress, specifically affecting all versions up to and including 1.9.26. The vulnerability arises from the 'wcdp_save_canvas_design_ajax' function, which lacks proper file type validation, allowing unauthenticated attackers to upload arbitrary files to the server. This is classified under CWE-434, indicating an unrestricted file upload flaw. Because the plugin is used by the Pricom - Printing Company & Design Services WordPress theme, any website employing this theme and plugin combination is at risk. The absence of file type validation means attackers can upload malicious files such as web shells or scripts that can be executed remotely, leading to remote code execution (RCE). The CVSS v3.1 base score of 9.8 reflects the vulnerability’s high severity, with attack vector being network-based, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability’s characteristics make it highly exploitable. This flaw can lead to full system compromise, data theft, defacement, or service disruption. The vulnerability was reserved in June 2025 and published in October 2025, but no official patches are currently linked, indicating that mitigation may require manual intervention or plugin updates once available.

The impact of CVE-2025-6440 is severe for organizations using the WooCommerce Designer Pro plugin, particularly those running e-commerce sites on WordPress with the Pricom theme. Successful exploitation allows attackers to upload arbitrary files, potentially leading to remote code execution, which can result in complete server compromise. This compromises the confidentiality of sensitive customer and business data, integrity of website content and transactions, and availability of the e-commerce platform. Attackers could deploy web shells to maintain persistent access, steal payment information, manipulate orders, or disrupt services causing financial loss and reputational damage. Given WooCommerce’s widespread use in online retail, the vulnerability could affect a large number of small to medium businesses globally. Additionally, compromised sites could be used as launchpads for further attacks, including lateral movement within corporate networks or distribution of malware to customers. The lack of authentication requirement and ease of exploitation increase the risk of rapid and widespread attacks.

Immediate mitigation steps include disabling or removing the WooCommerce Designer Pro plugin until a security patch is released. Administrators should monitor web server logs for suspicious file upload attempts or unexpected file types in upload directories. Implementing web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoint ('wcdp_save_canvas_design_ajax') can reduce exposure. Restricting file upload permissions on the server and enforcing strict file type validation at the web server or application firewall level can help prevent malicious uploads. Regularly updating WordPress core, themes, and plugins is essential once the vendor releases a patched version. Additionally, scanning the website for web shells or unauthorized files and conducting a thorough security audit is recommended. Employing intrusion detection systems (IDS) and endpoint detection and response (EDR) tools can help identify exploitation attempts. Organizations should also ensure proper backup and recovery procedures are in place to restore systems if compromised.