Scan free
CRITICALCVE-2025-47641CVSS 10

CVE-2025-47641: Arbitrary File Access in Printcart WooCommerce Designer

Platform

wordpress

Component

printcart-integration

Fixed in

2.3.10

View on NVD
Save

CVE-2025-47641 describes an Arbitrary File Access vulnerability discovered in the Printcart Web to Print Product Designer for WooCommerce plugin. This flaw allows attackers to upload files of any type, including malicious web shells, to the web server. Versions 0.0.0 through 2.3.9 are affected, and a fix is available in version 2.3.10, released on an unspecified date.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of this vulnerability is the ability for an attacker to upload arbitrary files to the web server. This includes web shells, which can grant the attacker remote code execution (RCE) and complete control over the compromised server. Successful exploitation could lead to data breaches, defacement of the website, installation of malware, and lateral movement within the network. The unrestricted nature of the upload makes this a particularly dangerous vulnerability, as attackers are not limited in the type of malicious payload they can deploy. The potential for RCE significantly expands the blast radius, potentially impacting any systems accessible from the compromised web server.

Exploitation Context

The vulnerability's severity (CVSS 10) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation. As of the publication date (2025-05-23), there is no indication of active exploitation campaigns, but the vulnerability's ease of exploitation suggests it will be actively targeted. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.41% (61% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentprintcart-integration
Vendorprintcart
Minimum version0.0.0
Maximum version2.3.9
Fixed in2.3.10

Weakness Classification (CWE)

CWE-434

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-47641 is to immediately upgrade the Printcart Web to Print Product Designer for WooCommerce plugin to version 2.3.10 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file uploads to specific, safe file types using server-side configuration (e.g., .jpg, .png) and implementing strict file size limits. Web Application Firewalls (WAFs) can be configured to block suspicious file uploads based on file type or content. After upgrading, verify the fix by attempting to upload a test file with a dangerous extension (e.g., .php) to confirm that the upload is blocked.

How to fix

Actualice el plugin Printcart Web to Print Product Designer for WooCommerce a la versión 2.3.10 o superior para solucionar la vulnerabilidad de subida arbitraria de archivos. Esta actualización corrige la falta de validación de los tipos de archivo permitidos, lo que permite a los atacantes subir archivos maliciosos, incluyendo webshells, al servidor.

Frequently asked questions

What is CVE-2025-47641 — Arbitrary File Access in Printcart WooCommerce Designer?

CVE-2025-47641 is a critical vulnerability in Printcart Web to Print Product Designer for WooCommerce allowing attackers to upload arbitrary files, potentially leading to server compromise. It affects versions 0.0.0–2.3.9 and has a CVSS score of 10.

Am I affected by CVE-2025-47641 in Printcart WooCommerce Designer?

You are affected if you are using Printcart Web to Print Product Designer for WooCommerce versions 0.0.0 through 2.3.9. Immediately check your plugin version and upgrade if necessary.

How do I fix CVE-2025-47641 in Printcart WooCommerce Designer?

Upgrade the Printcart Web to Print Product Designer for WooCommerce plugin to version 2.3.10 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file types and using a WAF.

Is CVE-2025-47641 being actively exploited?

While there's no confirmed active exploitation at this time, the vulnerability's ease of exploitation suggests it will likely be targeted. Monitor security advisories and threat intelligence.

Where can I find the official Printcart advisory for CVE-2025-47641?

Refer to the Printcart website and their official security advisory page for the most up-to-date information regarding CVE-2025-47641 and the available fix. Check their support forums and documentation as well.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free
livefree scan

Scan your WordPress project now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...