## https://sploitus.com/exploit?id=4439433A-56D0-5C83-9A5D-AB92E100A1CA
### Description
WooCommerce Designer Pro plugin for WordPress contains a critical vulnerability in versions up to and including 1.9.26.
This vulnerability was discovered and disclosed on October 24, 2025.
The affected component is specifically the ``wcdp_save_canvas_design_ajax`` function within the plugin, which is commonly used by the Pricom - Printing Company & Design Services WordPress them
---
## Install & Use
Installation:
```
pip install -r requirements.txt
```
Usage :
```
python3 exploit.py --url http://example.com/ --file shell.php --verbose
```
Notes:
--url : target base URL (script normalizes it).
--file : local file to upload.
--verbose : optional detailed output.
The script saves:
downloaded_.bin
extracted_.php (extracted PHP fragment if found)
## Mitigation
Update WooCommerce Designer Pro to the patched version when available.
Prevent PHP execution in upload directories. Example nginx:
```
location ~* /wp-content/uploads/.*\.(php|phtml|php[0-9]*)$ {
return 403;
}
```
Validate uploaded file types and scan file contents server-side.
Restrict access to AJAX endpoints where possible and monitor upload activity.