Introduction
Remote code execution on a WordPress e-commerce site can lead to theft of customer data, payment skimming, and full site takeover. CVE-2025-6440 exposes thousands of WooCommerce Designer Pro installations to unauthenticated arbitrary file upload, with no patch available at publication time.
WooCommerce Designer Pro is a premium WordPress plugin by JMA Plugins, widely used by online print shops and stores for product customization. It is distributed independently and bundled with the Pricom Printing Company & Design Services WordPress theme. The plugin is popular in the WooCommerce ecosystem, which powers a significant portion of global e-commerce sites.
Technical Information
CVE-2025-6440 is a classic instance of CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability is present in all versions of WooCommerce Designer Pro up to and including 1.9.26. The root cause is the lack of file type validation in the wcdp_save_canvas_design_ajax function, which handles AJAX requests for saving user-generated product designs.
Vulnerability mechanism:
-
The plugin exposes an unauthenticated AJAX endpoint at:
wp-admin/admin-ajax.php?action=wcdp_save_canvas_design_ajax -
This endpoint accepts file uploads from any user, including unauthenticated visitors.
-
There is no server-side check to restrict uploads to safe file types (such as images). As a result, files with any extension and content, including PHP scripts, can be uploaded.
-
Uploaded files are saved to a web-accessible directory, typically under
wp-content/uploads/. -
If a PHP file is uploaded, it can be accessed and executed via a direct HTTP request, resulting in remote code execution with the privileges of the web server process.
Root cause:
- No MIME type or file extension validation on server side.
- No authentication or authorization required to access the vulnerable AJAX handler.
- No nonce or CSRF protection present on the endpoint.
This vulnerability is trivially exploitable and does not require any prior access to the site. Similar flaws have been observed in other WordPress plugins, often leading to mass exploitation campaigns.
Affected Systems and Versions
- WooCommerce Designer Pro plugin for WordPress
- All versions up to and including 1.9.26
- Any WordPress installation with this plugin active is vulnerable, regardless of configuration
- The vulnerability also affects sites using the Pricom Printing Company & Design Services WordPress theme, as it bundles the vulnerable plugin
Vendor Security History
- JMA Plugins, the vendor of WooCommerce Designer Pro, has no public record of prior vulnerabilities in this product
- The plugin market segment (WooCommerce product designers) has seen similar critical file upload vulnerabilities in competing products
- No patch has been released as of the disclosure date, raising concerns about the vendor's response time and security maturity
