Printful WooCommerce Plugin Exposes Internal Data Through Unvalidated API

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

Printful WooCommerce Plugin Exposes Internal Data Through Unvalidated API

CVE-2025-12375

Summary

The Printful WooCommerce plugin for WordPress contains a security flaw that allows an attacker with contributor access to make unauthorized requests to internal services, potentially exposing sensitive data and allowing them to modify information. This affects all versions up to and including 2.2.11 and can be fixed by updating the plugin to a newer version. We recommend updating the plugin as soon as possible to ensure the security of your website.

Original title

Original description

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

nvd CVSS3.1 6.4

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026