What the vulnerability does
01Description
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() — which does not strip path traversal sequences — and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename(). The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint. This makes it possible for unauthenticated attackers to delete arbitrary files on the affected site's server which may make remote code execution possible.
Explanation of Vulnerability in Simple Terms
02Summary
The Printcart Web to Print Product Designer for WooCommerce plugin contains a path traversal vulnerability that allows unauthenticated attackers to modify or delete files on the affected site. An attacker can craft requests to access files outside the intended directory, potentially compromising site integrity and availability. All versions up to 2.5.2 are affected. Site owners should update immediately when a patched version becomes available.
What an attacker can do
03Attacker Capabilities
Modify or delete files on the site without authentication.
Potential impact on your site
04Site Impact
Attackers can alter or remove critical site files, causing data loss or site malfunction.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 3, 2026
CVE published