平台
wordpress
组件
woocommerce-designer-pro
修复版本
1.9.27
CVE-2025-6439 is an arbitrary file access vulnerability affecting WooCommerce Designer Pro, a WordPress plugin used with the Pricom theme. An unauthenticated attacker can exploit this flaw to delete files on the server, potentially leading to remote code execution, data loss, or complete site unavailability. The vulnerability impacts versions 1.0.0 through 1.9.26, and a patch is available in version 1.9.27.
This vulnerability poses a significant risk due to its ease of exploitation and potential for severe consequences. An attacker can leverage the insufficient file path validation in the wcdpsavecanvasdesignajax function to delete any file on the server they have write access to. This could involve deleting core WordPress files, plugin files, or even critical system files. Successful exploitation could lead to complete site compromise, allowing the attacker to execute arbitrary code, steal sensitive data, or disrupt service. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers.
CVE-2025-6439 was publicly disclosed on 2025-10-11. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential for severe impact suggest a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
WordPress websites utilizing the Pricom theme and running versions of WooCommerce Designer Pro prior to 1.9.27 are at significant risk. Shared hosting environments are particularly vulnerable, as attackers may be able to exploit this vulnerability to impact multiple websites hosted on the same server.
• wordpress / composer / npm:
grep -r 'wcdp_save_canvas_design_ajax' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "WooCommerce Designer Pro"• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=wcdp_save_canvas_design_ajax&file=/etc/passwd | head -n 1• generic web: Check WordPress plugin directory for outdated versions of WooCommerce Designer Pro.
disclosure
漏洞利用状态
EPSS
1.30% (80% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade WooCommerce Designer Pro to version 1.9.27 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file write permissions on the WordPress server to the minimum necessary. Implement a Web Application Firewall (WAF) with rules to block requests to the wcdpsavecanvasdesignajax endpoint with suspicious file paths. Regularly review WordPress plugin installations and remove any unused or outdated plugins. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a crafted request and verifying that file deletion is prevented.
Actualice el plugin WooCommerce Designer Pro a la versión 1.9.27 o superior para mitigar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización aborda la falta de validación adecuada de las rutas de archivo, previniendo que atacantes no autenticados eliminen archivos en el servidor.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-6439 is a critical vulnerability in WooCommerce Designer Pro allowing unauthenticated attackers to delete files, potentially leading to remote code execution, data loss, or site unavailability.
You are affected if your WordPress site uses the Pricom theme and WooCommerce Designer Pro version 1.0.0 through 1.9.26.
Upgrade WooCommerce Designer Pro to version 1.9.27 or later. Consider temporary mitigation steps like restricting file write permissions and WAF rules if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the WooCommerce Designer Pro website and WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。