Exploit for CVE-2025-6440

Name: Exploit for CVE-2025-6440
Rating: 5 (9 reviews)
2026-06-11 | CVSS 9.8
## https://sploitus.com/exploit?id=79541384-47A5-592D-A5A6-0CDB62D82608
🧨 CVE-2025-6440 – WooCommerce Designer Pro Unrestricted File Upload

  Unauthenticated Arbitrary File Upload via wcdp_save_canvas_design_ajax
  WooCommerce Designer Pro plugin – Remote Code Execution (RCE)


---

## 📖 Description

The **WooCommerce Designer Pro** plugin for WordPress contains an **unauthenticated arbitrary file upload** vulnerability in the AJAX action `wcdp_save_canvas_design_ajax`. An attacker can upload any file (including malicious PHP scripts) without authentication, leading to **Remote Code Execution (RCE)**.

> **CVSS Score:** 9.8 (Critical)  
> **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)  
> **Attack Vector:** Network | **Complexity:** Low | **Privileges:** None

---

## ⚡ Affected Versions

| Plugin                        | Vulnerable Versions |
| :---------------------------- | :------------------ |
| WooCommerce Designer Pro      | All versions (unpatched) |

> **Note:** This vulnerability has been assigned **CVE-2025-6440**. The plugin may be discontinued. No patch is available.

---

## 🔬 Proof of Concept (PoC)

### 🐍 Python Exploit

```bash
python CVE-2025-6440.py -u http://target.com/wordpress