CVE-2025-6439

CVE-2025-6439 is a critical vulnerability in the WooCommerce Designer Pro plugin for WordPress, specifically used by the Pricom - Printing Company & Design Services WordPress theme. It stems from insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function, enabling arbitrary file deletion across all versions up to and including 1.9.26. Published on 2025-10-11, the flaw is classified under CWE-22 (Path Traversal) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By leveraging the flawed AJAX handler, they can delete all files in an arbitrary server directory, potentially resulting in remote code execution, significant data loss, or complete site unavailability.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the plugin's CodeCanyon listing serves as the primary source for the affected software. No specific patch details are outlined in the available information, underscoring the need for immediate updates beyond version 1.9.26 or alternative mitigations like disabling the plugin.