Share
## https://sploitus.com/exploit?id=4439433A-56D0-5C83-9A5D-AB92E100A1CA
### Description

WooCommerce Designer Pro plugin for WordPress contains a critical vulnerability in versions up to and including 1.9.26. 
This vulnerability was discovered and disclosed on October 24, 2025. 
The affected component is specifically the ``wcdp_save_canvas_design_ajax`` function within the plugin, which is commonly used by the Pricom - Printing Company & Design Services WordPress them

---

## Install & Use

Installation:

```
pip install -r requirements.txt
```

Usage :

```
python3 exploit.py --url http://example.com/ --file shell.php --verbose
```

Notes:

--url : target base URL (script normalizes it).

--file : local file to upload.

--verbose : optional detailed output.

The script saves:

downloaded_.bin

extracted_.php (extracted PHP fragment if found)

## Mitigation

Update WooCommerce Designer Pro to the patched version when available.
Prevent PHP execution in upload directories. Example nginx:

```
location ~* /wp-content/uploads/.*\.(php|phtml|php[0-9]*)$ {
    return 403;
}
```

Validate uploaded file types and scan file contents server-side.
Restrict access to AJAX endpoints where possible and monitor upload activity.