PatchSiren cyber security CVE debrief
CVE-2026-9725 printcart CVE debrief
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2. This vulnerability exists due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter. The parameter is sanitized only with sanitize_text_field(), which does not strip path traversal sequences. As a result, unauthenticated attackers can delete arbitrary files on the affected site's server, potentially enabling remote code execution. Users of the plugin, especially those with versions up to and including 2.5.2, should be aware of this vulnerability and take necessary precautions.
- Vendor
- printcart
- Product
- Printcart Web to Print Product Designer for WooCommerce
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of the Printcart Web to Print Product Designer for WooCommerce plugin for WordPress, especially those with versions up to and including 2.5.2, should be aware of the Arbitrary File Deletion vulnerability. This vulnerability can lead to remote code execution, making it critical for users to update the plugin to a version beyond 2.5.2 and implement additional security measures.
Technical summary
The vulnerability exists due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field(). This allows unauthenticated attackers to delete arbitrary files on the affected site's server, potentially enabling remote code execution. The nonce protecting the nbd_save_customer_design AJAX action is freely obtainable by unauthenticated users via the nbd_check_use_logged_in endpoint.
Defensive priority
High priority should be given to updating the Printcart Web to Print Product Designer for WooCommerce plugin to a version beyond 2.5.2. Additionally, users should review and restrict access to sensitive files and directories, monitor server logs for suspicious activities, and implement Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
Recommended defensive actions
- Update the Printcart Web to Print Product Designer for WooCommerce plugin to a version beyond 2.5.2.
- Review and restrict access to sensitive files and directories.
- Monitor server logs for suspicious file deletion activities.
- Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
Evidence from the NVD and Wordfence indicates that the vulnerability exists in versions up to and including 2.5.2 of the plugin. The CVE record and NVD detail provide additional context on the vulnerability. However, due to limited source detail, further verification is required to confirm the scope and impact of the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T06:16:23.263Z and has not been modified since then. The NVD entry is currently Deferred.