CVE-2025-6439
Published: 11 October 2025
Summary
CVE-2025-6439 is a critical-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in the wcdp_save_canvas_design_ajax function, preventing path traversal attacks that enable arbitrary file deletion.
Ensures timely flaw remediation by requiring patching or removal of the vulnerable WooCommerce Designer Pro plugin versions up to 1.9.26.
Boundary protection at web interfaces can monitor and block path traversal payloads exploiting the unauthenticated AJAX endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190: Unauthenticated path traversal in public-facing WordPress plugin enables exploitation of public-facing application. T1070.004: Vulnerability directly allows arbitrary file deletion on the server.
NVD Description
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to,…
more
and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
Deeper analysisAI
CVE-2025-6439 is a critical vulnerability in the WooCommerce Designer Pro plugin for WordPress, specifically used by the Pricom - Printing Company & Design Services WordPress theme. It stems from insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function, enabling arbitrary file deletion across all versions up to and including 1.9.26. This path traversal issue, classified under CWE-22, has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe impact potential.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By leveraging the flawed AJAX endpoint, they can delete all files in any arbitrary directory on the server, potentially resulting in remote code execution, significant data loss, or complete site unavailability.
Advisories from Wordfence provide detailed threat intelligence on the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/407a0bc3-2775-4a34-9817-924bf94a4f94?source=cve), while the plugin listing on Codecanyon (https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731) serves as the primary source for the affected software. Security practitioners should check these resources for any available patches or updates beyond version 1.9.26.
Details
- CWE(s)