{"id":9078,"date":"2026-07-03T07:43:22","date_gmt":"2026-07-03T07:43:22","guid":{"rendered":"https:\/\/locaterisk.com\/de\/?p=9078"},"modified":"2026-07-03T07:43:22","modified_gmt":"2026-07-03T07:43:22","slug":"cve-2026-9725-printcart-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/cve-2026-9725-printcart-wordpress-plugin\/","title":{"rendered":"Critical Vulnerability CVE-2026-9725 in WordPress Plugin Allows File Deletion"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">Critical Vulnerability CVE-2026-9725 in WordPress Plugin Allows File Deletion<\/h1>\r\n            <p class=\"paragraph\"><br><span class=\"lr-ai-disclosure\" style=\"display:block;margin:8px 0 28px;font-size:14px;line-height:1.4;color:#8b93a7;font-family:inherit;font-style:italic;\">This text was generated using artificial intelligence (AI).<\/span>On July 3, 2026, a critical security vulnerability was disclosed in the WordPress plugin \u201ePrintcart Web to Print Product Designer for WooCommerce.\u201c The vulnerability, identified as <strong>CVE-2026-9725<\/strong> has a CVSS score of <strong>9.1 (critical)<\/strong> This vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This can lead to a complete outage of the website and potentially result in remote code execution. A security update is available.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png\" alt=\"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung\" class=\"wp-image-9077\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png 400w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured-300x300.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured-150x150.png 150w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured-12x12.png 12w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure><\/div>\n\n\n<p><strong>Key Information:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE ID:<\/strong> CVE-2026-9725 (CVSS 9.1)<\/li>\n\n\n\n<li><strong>Affected software:<\/strong> \u201eprintcart-integration\u201c plugin, up to and including version 2.5.2<\/li>\n\n\n\n<li><strong>Effect:<\/strong> Unauthenticated Deletion of Arbitrary Files (Arbitrary File Deletion)<\/li>\n\n\n\n<li><strong>Solution:<\/strong> Update to version 2.5.3 or later<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Vulnerability CVE-2026-9725<\/strong><\/h2>\n\n\n\n<p>The vulnerability affects all versions of the plugin up to and including <strong>2.5.2<\/strong>. Since the plugin is used in e-commerce environments with WordPress and WooCommerce, the vulnerability poses a significant risk to affected online stores. An attack does not require authentication or user interaction, which makes the barrier to entry very low for attackers.<\/p>\n\n\n\n<p>By deliberately deleting critical configuration files, attackers can cripple a website (denial of service) or bypass security mechanisms to prepare for further attacks. Under certain circumstances, deleting files can also lead to the execution of arbitrary code on the server (Remote Code Execution), which would result in the complete compromise of the system.<\/p>\n\n\n\n<p>At this time, there are no known active exploits for CVE-2026-9725. However, given the low complexity of the attack and the lack of an authentication requirement, prompt patching is strongly recommended.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Background: Path Traversal with Bypassed Access Control<\/strong><\/h2>\n\n\n\n<p>The cause of CVE-2026-9725 is insufficient path validation, known as path traversal (CWE-22). The vulnerability lies in the function <strong>store_design_data()<\/strong>, which uses the parameter provided by the user <strong>nbd_item_key<\/strong> processed. The input is processed only using the function <strong>sanitize_text_field()<\/strong> adjusted, but which do not contain any path-traversal sequences (<strong>..\/<\/strong>) removed.<\/p>\n\n\n\n<p>This allows attackers to traverse directory levels and construct a path to any file on the server. This manipulated path is then passed to delete or rename functions.<\/p>\n\n\n\n<p>In addition, the protection mechanism (nonce) intended to secure such actions is ineffective. Attackers can obtain a valid nonce value via the publicly accessible endpoint <strong>nbd_check_use_logged_in<\/strong> retrieve. This combination of path traversal and easily bypassable access control makes the vulnerability particularly dangerous.<\/p>\n\n\n\n<p>The Printcart plugin is no stranger to the security community: Several vulnerabilities in the same plugin have already been documented in the past, including an unauthenticated file upload vulnerability (CVE-2025-47641, affects versions \u2264 2.3.9) and another path traversal vulnerability (CVE-2025-10268, affects versions \u2264 2.4.8). Sources: <a href=\"https:\/\/wpscan.com\/plugin\/printcart-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">WPScan<\/a> and <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/printcart-integration\/vulnerability\/wordpress-printcart-web-to-print-product-designer-for-woocommerce-2-3-9-sql-injection-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Patchstack<\/a>. This cluster of vulnerabilities underscores the importance of continuously monitoring third-party software in use.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recommended Actions<\/strong><\/h2>\n\n\n\n<p>Companies using the affected plugin should take immediate action to protect their systems.<\/p>\n\n\n\n<ol class=\"wp-block-list has-text-color\" style=\"color:#ffffff\">\n<li><strong>Breaking Update:<\/strong> Update the \u201ePrintcart Web to Print Product Designer for WooCommerce\u201c plugin to version <strong>2.5.3<\/strong> or a newer version. This is the most important step in addressing the security vulnerability.<\/li>\n\n\n\n<li><strong>Inventory:<\/strong> Identify all WordPress instances in your infrastructure that use this plugin. Check the installed versions and prioritize publicly accessible and business-critical systems for the update.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Relevance for Companies in Germany, Austria, and Switzerland<\/strong><\/h2>\n\n\n\n<p>Companies in Germany, Austria, and Switzerland are subject to additional regulatory obligations in the event of security incidents. If a vulnerability is actively exploited and this results in a data breach involving the personal data of EU citizens, the reporting obligation under Article 33 of the GDPR applies\u2014with a deadline of 72 hours to notify the competent supervisory authority. Operators of critical infrastructure and key facilities as defined by the NIS 2 Directive (implemented in Germany by the NIS2UmsuCG) are also required to systematically address vulnerability management and the risks posed by third-party software. The timely installation of security updates, such as this patch to version 2.5.3, is one of the key foundational measures in this regard.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Visibility as the Foundation for Effective Vulnerability Management<\/strong><\/h2>\n\n\n\n<p>Incidents such as CVE-2026-9725 show that the biggest challenge is often not applying a patch, but finding out in a timely manner whether one\u2019s own systems are affected. Many companies do not have a complete overview of all the web applications they use and their components, especially when business units operate their own systems (shadow IT).<\/p>\n\n\n\n<p>An External Attack Surface Management (EASM) solution such as LocateRisk provides the necessary transparency here. By continuously scanning the external attack surface, all publicly accessible systems and their technological components\u2014such as the \u201eprintcart-integration\u201c plugin\u2014are identified. This provides security teams with a complete and up-to-date inventory, enabling them to respond immediately when a vulnerability is discovered and to locate the affected systems.<\/p>\n\n\n\n<p>Furthermore, this incident highlights the risks associated with third-party software (third-party risk). The security of your digital infrastructure also depends on the security of the plugins and third-party components you use\u2014as exemplified by the recurring vulnerabilities in the Printcart plugin. Continuous Vendor Risk Management (C-VRM) helps to systematically assess and manage such risks. This is also a key requirement of the NIS 2 Directive and standards such as ISO 27001, which call for proactive management of vulnerabilities and vendor risks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sources and further information<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Wordfence Intelligence (CNA):<\/strong> <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/5bb962bd-9b23-4820-885e-d8095250c3c7?source=cve\" target=\"_blank\" rel=\"noreferrer noopener\">Vulnerability Advisory CVE-2026-9725<\/a><\/li>\n\n\n\n<li><strong>WordPress.org Plugin Directory:<\/strong> <a href=\"https:\/\/wordpress.org\/plugins\/printcart-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Printcart Integration<\/a><\/li>\n\n\n\n<li><strong>WordPress SVN Plugin:<\/strong> <a href=\"https:\/\/plugins.trac.wordpress.org\/changeset?old_path=%2Fprintcart-integration\/tags\/2.5.2&#038;new_path=%2Fprintcart-integration\/tags\/2.5.3\" target=\"_blank\" rel=\"noreferrer noopener\">Changeset for Version 2.5.3<\/a><\/li>\n\n\n\n<li><strong>WPScan:<\/strong> <a href=\"https:\/\/wpscan.com\/plugin\/printcart-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Printcart Plugin Vulnerability History<\/a><\/li>\n\n\n\n<li><strong>Patchstack:<\/strong> <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/printcart-integration\/vulnerability\/wordpress-printcart-web-to-print-product-designer-for-woocommerce-2-3-9-sql-injection-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Printcart SQL Injection \/ File Upload Vulnerabilities<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Do you keep track of all your WordPress plugins?<\/strong><\/h3>\n\n\n\n<p>A single unknown vulnerability in a forgotten system can be enough to put your entire organization at risk. LocateRisk provides continuous monitoring of your external attack surface to identify such risks before they are exploited.<\/p>\n\n\n\n<p><a href=\"https:\/\/locaterisk.com\/en\/demo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request your free security scan<\/a><\/p>\n\n\n\n<div class=\"wp-block-lr-faq-module\"><div class=\"content\"><h3><strong>Frequently asked questions<\/strong><\/h3><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>What is CVE-2026-9725?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">CVE-2026-9725 is a critical vulnerability (CVSS 9.1) in the WordPress plugin \u201ePrintcart Web to Print Product Designer for WooCommerce.\u201c It allows unauthenticated attackers to exploit a path traversal vulnerability (CWE-22) in the function <strong>store_design_data()<\/strong> delete any files on the affected server, which could lead to a complete system compromise under certain circumstances.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Which plugin versions are affected, and how can I protect myself?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">All versions of the \u201eprintcart-integration\u201c plugin up to and including version 2.5.2 are affected. The vendor has released a patch in version 2.5.3. Affected site operators should immediately update the plugin to version 2.5.3 or later and check all WordPress instances in their infrastructure to verify which version of the plugin is being used.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Is CVE-2026-9725 already being actively exploited?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">As of the date of publication, July 3, 2026, there are no known active exploits for CVE-2026-9725. However, due to the low complexity of the attack\u2014no attacker requires authentication or user interaction\u2014it is strongly recommended that you install the update as soon as possible.<\/p><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2><br>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"Ihre Registrierung war erfolgreich Ihre Anfrage wurde erfolgreich versendet. Wir haben Ihnen soeben eine Best\u00e4tigungsmail mit einem Aktivierungs-Link zugesendet, um einem Missbrauch Ihrer E-Mail Adresse durch Dritte vorzubeugen. Die Mail wird von sales@locaterisk.com versendet und sollte sich i n wenigen Minuten in Ihrem Posteingang finden.\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"Da ist wohl etwas schief gelaufen. Bitte probieren Sie es erneut oder nehmen Sie direkt mit uns Kontakt auf\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"cve-2026-9725-printcart-wordpress-plugin\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p class=\"translation-block\">I agree with the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\" target=\"_self\">privacy policy<\/a>.<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\"> Request a Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability (CVE-2026-9725, CVSS 9.1) in the Printcart plugin for WordPress allows unauthenticated attackers to delete arbitrary files.<\/p>","protected":false},"author":13,"featured_media":9077,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[632],"tags":[694,690,692,691,693,16,560,357,327],"class_list":["post-9078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-news","tag-arbitrary-file-deletion","tag-cve-2026-9725","tag-path-traversal","tag-printcart","tag-printcart-integration","tag-sicherheitsluecke","tag-third-party-risk","tag-woocommerce","tag-wordpress"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk<\/title>\n<meta name=\"description\" content=\"Eine kritische Schwachstelle (CVE-2026-9725, CVSS 9.1) im Printcart-Plugin f\u00fcr WordPress erm\u00f6glicht unauthentifizierten Angreifern das L\u00f6schen beliebiger Dateien.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/cve-2026-9725-printcart-wordpress-plugin\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk\" \/>\n<meta property=\"og:description\" content=\"Eine kritische Schwachstelle (CVE-2026-9725, CVSS 9.1) im Printcart-Plugin f\u00fcr WordPress erm\u00f6glicht unauthentifizierten Angreifern das L\u00f6schen beliebiger Dateien.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/cve-2026-9725-printcart-wordpress-plugin\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-03T07:43:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kristina Hoinkis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kristina Hoinkis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/\"},\"author\":{\"name\":\"Kristina Hoinkis\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\"},\"headline\":\"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung\",\"datePublished\":\"2026-07-03T07:43:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/\"},\"wordCount\":1164,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-9725-featured.png\",\"keywords\":[\"Arbitrary File Deletion\",\"CVE-2026-9725\",\"Path Traversal\",\"Printcart\",\"printcart-integration\",\"Sicherheitsl\u00fccke\",\"Third-Party Risk\",\"WooCommerce\",\"WordPress\"],\"articleSection\":[\"Cybersecurity News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/\",\"name\":\"CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-9725-featured.png\",\"datePublished\":\"2026-07-03T07:43:22+00:00\",\"description\":\"Eine kritische Schwachstelle (CVE-2026-9725, CVSS 9.1) im Printcart-Plugin f\u00fcr WordPress erm\u00f6glicht unauthentifizierten Angreifern das L\u00f6schen beliebiger Dateien.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-9725-featured.png\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-9725-featured.png\",\"width\":400,\"height\":400,\"caption\":\"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-9725-printcart-wordpress-plugin\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\",\"name\":\"Kristina Hoinkis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"caption\":\"Kristina Hoinkis\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk","description":"A critical vulnerability (CVE-2026-9725, CVSS 9.1) in the Printcart plugin for WordPress allows unauthenticated attackers to delete arbitrary files.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/cve-2026-9725-printcart-wordpress-plugin\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk","og_description":"Eine kritische Schwachstelle (CVE-2026-9725, CVSS 9.1) im Printcart-Plugin f\u00fcr WordPress erm\u00f6glicht unauthentifizierten Angreifern das L\u00f6schen beliebiger Dateien.","og_url":"https:\/\/locaterisk.com\/en\/cve-2026-9725-printcart-wordpress-plugin\/","og_site_name":"LocateRisk","article_published_time":"2026-07-03T07:43:22+00:00","og_image":[{"width":400,"height":400,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png","type":"image\/png"}],"author":"Kristina Hoinkis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kristina Hoinkis","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/"},"author":{"name":"Kristina Hoinkis","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32"},"headline":"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung","datePublished":"2026-07-03T07:43:22+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/"},"wordCount":1164,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png","keywords":["Arbitrary File Deletion","CVE-2026-9725","Path Traversal","Printcart","printcart-integration","Sicherheitsl\u00fccke","Third-Party Risk","WooCommerce","WordPress"],"articleSection":["Cybersecurity News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/","url":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/","name":"CVE-2026-9725: Kritische L\u00fccke in WordPress-Plugin | LocateRisk","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png","datePublished":"2026-07-03T07:43:22+00:00","description":"A critical vulnerability (CVE-2026-9725, CVSS 9.1) in the Printcart plugin for WordPress allows unauthenticated attackers to delete arbitrary files.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-9725-featured.png","width":400,"height":400,"caption":"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung"},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/de\/cve-2026-9725-printcart-wordpress-plugin\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"Kritische Schwachstelle CVE-2026-9725 in WordPress-Plugin erm\u00f6glicht Datei-L\u00f6schung"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32","name":"Kristina Hoinkis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","caption":"Kristina Hoinkis"}}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=9078"}],"version-history":[{"count":1,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9078\/revisions"}],"predecessor-version":[{"id":9079,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9078\/revisions\/9079"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/9077"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=9078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=9078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=9078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}