Critical Vulnerability CVE-2026-9725 in WordPress Plugin Allows File Deletion
This text was generated using artificial intelligence (AI).On July 3, 2026, a critical security vulnerability was disclosed in the WordPress plugin „Printcart Web to Print Product Designer for WooCommerce.“ The vulnerability, identified as CVE-2026-9725 has a CVSS score of 9.1 (critical) This vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This can lead to a complete outage of the website and potentially result in remote code execution. A security update is available.
Key Information:
- CVE ID: CVE-2026-9725 (CVSS 9.1)
- Affected software: „printcart-integration“ plugin, up to and including version 2.5.2
- Effect: Unauthenticated Deletion of Arbitrary Files (Arbitrary File Deletion)
- Solution: Update to version 2.5.3 or later
Analysis of Vulnerability CVE-2026-9725
The vulnerability affects all versions of the plugin up to and including 2.5.2. Since the plugin is used in e-commerce environments with WordPress and WooCommerce, the vulnerability poses a significant risk to affected online stores. An attack does not require authentication or user interaction, which makes the barrier to entry very low for attackers.
By deliberately deleting critical configuration files, attackers can cripple a website (denial of service) or bypass security mechanisms to prepare for further attacks. Under certain circumstances, deleting files can also lead to the execution of arbitrary code on the server (Remote Code Execution), which would result in the complete compromise of the system.
At this time, there are no known active exploits for CVE-2026-9725. However, given the low complexity of the attack and the lack of an authentication requirement, prompt patching is strongly recommended.
Technical Background: Path Traversal with Bypassed Access Control
The cause of CVE-2026-9725 is insufficient path validation, known as path traversal (CWE-22). The vulnerability lies in the function store_design_data(), which uses the parameter provided by the user nbd_item_key processed. The input is processed only using the function sanitize_text_field() adjusted, but which do not contain any path-traversal sequences (../) removed.
This allows attackers to traverse directory levels and construct a path to any file on the server. This manipulated path is then passed to delete or rename functions.
In addition, the protection mechanism (nonce) intended to secure such actions is ineffective. Attackers can obtain a valid nonce value via the publicly accessible endpoint nbd_check_use_logged_in retrieve. This combination of path traversal and easily bypassable access control makes the vulnerability particularly dangerous.
The Printcart plugin is no stranger to the security community: Several vulnerabilities in the same plugin have already been documented in the past, including an unauthenticated file upload vulnerability (CVE-2025-47641, affects versions ≤ 2.3.9) and another path traversal vulnerability (CVE-2025-10268, affects versions ≤ 2.4.8). Sources: WPScan and Patchstack. This cluster of vulnerabilities underscores the importance of continuously monitoring third-party software in use.
Recommended Actions
Companies using the affected plugin should take immediate action to protect their systems.
- Breaking Update: Update the „Printcart Web to Print Product Designer for WooCommerce“ plugin to version 2.5.3 or a newer version. This is the most important step in addressing the security vulnerability.
- Inventory: Identify all WordPress instances in your infrastructure that use this plugin. Check the installed versions and prioritize publicly accessible and business-critical systems for the update.
Relevance for Companies in Germany, Austria, and Switzerland
Companies in Germany, Austria, and Switzerland are subject to additional regulatory obligations in the event of security incidents. If a vulnerability is actively exploited and this results in a data breach involving the personal data of EU citizens, the reporting obligation under Article 33 of the GDPR applies—with a deadline of 72 hours to notify the competent supervisory authority. Operators of critical infrastructure and key facilities as defined by the NIS 2 Directive (implemented in Germany by the NIS2UmsuCG) are also required to systematically address vulnerability management and the risks posed by third-party software. The timely installation of security updates, such as this patch to version 2.5.3, is one of the key foundational measures in this regard.
Visibility as the Foundation for Effective Vulnerability Management
Incidents such as CVE-2026-9725 show that the biggest challenge is often not applying a patch, but finding out in a timely manner whether one’s own systems are affected. Many companies do not have a complete overview of all the web applications they use and their components, especially when business units operate their own systems (shadow IT).
An External Attack Surface Management (EASM) solution such as LocateRisk provides the necessary transparency here. By continuously scanning the external attack surface, all publicly accessible systems and their technological components—such as the „printcart-integration“ plugin—are identified. This provides security teams with a complete and up-to-date inventory, enabling them to respond immediately when a vulnerability is discovered and to locate the affected systems.
Furthermore, this incident highlights the risks associated with third-party software (third-party risk). The security of your digital infrastructure also depends on the security of the plugins and third-party components you use—as exemplified by the recurring vulnerabilities in the Printcart plugin. Continuous Vendor Risk Management (C-VRM) helps to systematically assess and manage such risks. This is also a key requirement of the NIS 2 Directive and standards such as ISO 27001, which call for proactive management of vulnerabilities and vendor risks.
Sources and further information
Do you keep track of all your WordPress plugins?
A single unknown vulnerability in a forgotten system can be enough to put your entire organization at risk. LocateRisk provides continuous monitoring of your external attack surface to identify such risks before they are exploited.
Request your free security scan
Frequently asked questions
CVE-2026-9725 is a critical vulnerability (CVSS 9.1) in the WordPress plugin „Printcart Web to Print Product Designer for WooCommerce.“ It allows unauthenticated attackers to exploit a path traversal vulnerability (CWE-22) in the function store_design_data() delete any files on the affected server, which could lead to a complete system compromise under certain circumstances.
All versions of the „printcart-integration“ plugin up to and including version 2.5.2 are affected. The vendor has released a patch in version 2.5.3. Affected site operators should immediately update the plugin to version 2.5.3 or later and check all WordPress instances in their infrastructure to verify which version of the plugin is being used.
As of the date of publication, July 3, 2026, there are no known active exploits for CVE-2026-9725. However, due to the low complexity of the attack—no attacker requires authentication or user interaction—it is strongly recommended that you install the update as soon as possible.