Platform
wordpress
Component
woocommerce-designer-pro
Fixed in
1.9.27
CVE-2025-6439 is an arbitrary file access vulnerability affecting WooCommerce Designer Pro, a WordPress plugin used with the Pricom theme. An unauthenticated attacker can exploit this flaw to delete files on the server, potentially leading to remote code execution, data loss, or complete site unavailability. The vulnerability impacts versions 1.0.0 through 1.9.26, and a patch is available in version 1.9.27.
This vulnerability poses a significant risk due to its ease of exploitation and potential for severe consequences. An attacker can leverage the insufficient file path validation in the wcdpsavecanvasdesignajax function to delete any file on the server they have write access to. This could involve deleting core WordPress files, plugin files, or even critical system files. Successful exploitation could lead to complete site compromise, allowing the attacker to execute arbitrary code, steal sensitive data, or disrupt service. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers.
CVE-2025-6439 was publicly disclosed on 2025-10-11. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential for severe impact suggest a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
1.30% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade WooCommerce Designer Pro to version 1.9.27 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file write permissions on the WordPress server to the minimum necessary. Implement a Web Application Firewall (WAF) with rules to block requests to the wcdpsavecanvasdesignajax endpoint with suspicious file paths. Regularly review WordPress plugin installations and remove any unused or outdated plugins. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a crafted request and verifying that file deletion is prevented.
Actualice el plugin WooCommerce Designer Pro a la versión 1.9.27 o superior para mitigar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización aborda la falta de validación adecuada de las rutas de archivo, previniendo que atacantes no autenticados eliminen archivos en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6439 is a critical vulnerability in WooCommerce Designer Pro allowing unauthenticated attackers to delete files, potentially leading to remote code execution, data loss, or site unavailability.
You are affected if your WordPress site uses the Pricom theme and WooCommerce Designer Pro version 1.0.0 through 1.9.26.
Upgrade WooCommerce Designer Pro to version 1.9.27 or later. Consider temporary mitigation steps like restricting file write permissions and WAF rules if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the WooCommerce Designer Pro website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.