CVE-2025-6439
Published: 11 October 2025
Summary
CVE-2025-6439 is a critical-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services theme, contains a path traversal vulnerability (CWE-22) in the wcdp_save_canvas_design_ajax function. All versions through 1.9.26 are affected, allowing arbitrary file deletion because of insufficient validation of supplied file paths. The issue carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can invoke the AJAX handler over the network to delete every file within an arbitrary directory on the server. Successful exploitation can result in remote code execution, complete data loss, or denial of service through site unavailability.
No mitigation details or patch information appear in the supplied references. The EPSS score remains flat at 0.0222 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33851
Vulnerability details
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to,…
more
and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190: Unauthenticated path traversal in public-facing WordPress plugin enables exploitation of public-facing application. T1070.004: Vulnerability directly allows arbitrary file deletion on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient file path validation in the wcdp_save_canvas_design_ajax function, preventing path traversal attacks that enable arbitrary file deletion.
Ensures timely flaw remediation by requiring patching or removal of the vulnerable WooCommerce Designer Pro plugin versions up to 1.9.26.
Boundary protection at web interfaces can monitor and block path traversal payloads exploiting the unauthenticated AJAX endpoint.