What the vulnerability does
01Description
The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Explanation of Vulnerability in Simple Terms
02Summary
The Printful Integration for WooCommerce plugin versions 2.2.11 and earlier contain a server-side request forgery vulnerability. An authenticated attacker can make the site send HTTP requests to internal or external systems on their behalf. The vulnerability requires a logged-in user account and can leak sensitive data or interact with restricted services.
What an attacker can do
03Attacker Capabilities
Make the site send HTTP requests to internal systems or external URLs to access restricted data or services.
Potential impact on your site
04Site Impact
Attackers with user accounts can probe your internal network, access private APIs, or exfiltrate data through the site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the WooCommerce site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated