CVE-2025-6439

Name of the Vulnerable Software and Affected Versions WooCommerce Designer Pro versions through 1.9.26

Description The WooCommerce Designer Pro plugin for WordPress is affected by an arbitrary file deletion issue. Insufficient file path validation in the wcdp save canvas design ajax function allows unauthenticated attackers to delete files in arbitrary directories on the server. This could lead to remote code execution, data loss, or site unavailability.

Recommendations Versions prior to and including 1.9.26 should be updated when a fix is available. As a temporary workaround, consider restricting access to the wcdp save canvas design ajax function until a patch is available.