External risk intelligence

Printcart Web to Print Arbitrary File Deletion Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-9725

This vulnerability affects a WordPress plugin, which is typically deployed as part of an internet-facing web application. The functionality is exposed through a web interface that is commonly accessible to users over the public internet.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in a WordPress plugin used for product design, allowing unauthenticated attackers to delete arbitrary files on the server. While this could potentially lead to remote code execution, the primary concern is confirming if this specific plugin is in use and if it's exposed to the internet.

  • Attackers can delete files on the server.
  • Plugin usage and exposure need confirmation.
  • Assess relevance and potential impact.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable WordPress site. This request would leverage a flaw in how the Printcart Web to Print Product Designer plugin handles file paths, allowing the attacker to delete arbitrary files on the server. Successful exploitation could lead to significant disruption or potentially remote code execution.

  • Attacker can be unauthenticated.
  • Deletes arbitrary files via a POST request.
  • Server disruption and possible code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to delete arbitrary files on a website's server. When supported by the advisory, this could lead to the removal of critical system files or application components, potentially resulting in service disruption or enabling further compromise, such as remote code execution.

  • Arbitrary files on the server.
  • Via path traversal in a POST request.
  • Service disruption or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Printcart Web to Print Product Designer for WooCommerce plugin, a component of WordPress sites, is vulnerable to arbitrary file deletion. This could allow unauthenticated attackers to execute remote code. The first practical step is to identify all instances of this plugin, confirm their accessibility and business criticality, locate the accountable owner, and then plan remediation based on the identified risk.

  • WordPress site administrators and plugin owners.
  • Verify plugin presence and reachability.
  • Plan coordinated updates or removals.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Printcart Web to Print plugin?

The Printcart Web to Print Product Designer for WooCommerce is a WordPress plugin used by online shops to provide customers with a custom design interface for products. It adds interactive canvas functionality to product pages, allowing users to modify designs before adding them to their cart, which requires the plugin to manage and store design-related files on the underlying web server.

What does CWE-22 mean for CVE-2026-9725?

CVE-2026-9725 is classified as CWE-22, also known as Path Traversal. This weakness occurs when an application fails to properly sanitize user input before using it to construct file paths. In this specific case, the plugin allows an attacker to use special character sequences to escape the intended directory, ultimately tricking the server into deleting files located in other parts of the system that the plugin should not access.

How can an attacker trigger this vulnerability?

An attacker can trigger the bug by sending a specially crafted POST request containing a malicious file path. Because the plugin does not properly validate the 'nbd_item_key' parameter, the path traversal sequences are processed as legitimate commands. It is important to note that simply visiting a product page or browsing the site does not trigger this; the attacker must intentionally submit a specifically formatted request to the plugin's internal design-saving function.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal indicates a high likelihood of concern because this plugin is designed for WordPress, a platform typically deployed as an internet-facing web application. Since the vulnerable functionality is exposed through a web interface accessible over the public internet, any site running an unpatched version of this plugin is directly reachable by external threats.

What should I do if I use this plugin?

Your first step is to perform an inventory of your WordPress environment to confirm if the Printcart Web to Print plugin is installed. Once identified, consult your plugin management dashboard to verify your version number. If you are running version 2.5.2 or earlier, prioritize coordinating an update to a secure version with your technical team to eliminate the vulnerability, or disable the plugin entirely if it is not business-critical.

References