Cyber Resilience

CVE-2025-6439

Critical

Published: 11 October 2025

Published
11 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0222 84.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6439 is a critical-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services theme, contains a path traversal vulnerability (CWE-22) in the wcdp_save_canvas_design_ajax function. All versions through 1.9.26 are affected, allowing arbitrary file deletion because of insufficient validation of supplied file paths. The issue carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can invoke the AJAX handler over the network to delete every file within an arbitrary directory on the server. Successful exploitation can result in remote code execution, complete data loss, or denial of service through site unavailability.

No mitigation details or patch information appear in the supplied references. The EPSS score remains flat at 0.0222 with no observed increase after disclosure.

EU & UK References

Vulnerability details

The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to,…

more

and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

T1190: Unauthenticated path traversal in public-facing WordPress plugin enables exploitation of public-facing application. T1070.004: Vulnerability directly allows arbitrary file deletion on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2026-4758Shared CWE-22
CVE-2026-0704Shared CWE-22

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient file path validation in the wcdp_save_canvas_design_ajax function, preventing path traversal attacks that enable arbitrary file deletion.

prevent

Ensures timely flaw remediation by requiring patching or removal of the vulnerable WooCommerce Designer Pro plugin versions up to 1.9.26.

preventdetect

Boundary protection at web interfaces can monitor and block path traversal payloads exploiting the unauthenticated AJAX endpoint.

References