Vulnerabilities and security researches forprintful-shipping-for-woocommerce printful-shipping-for-woocommerce

Jun 07, 2024

CVE, Research URL: 56e2e29d6f8e227365e1c85d6026fc3075cbeb15
Home page URL: Security reports for Printful Integration for WooCommerce
Application: Printful Integration for WooCommerce
Date: Aug 11, 2023
Research Description: Printful Integration for WooCommerce [printful-shipping-for-woocommerce] < 2.2.3 WordPress Printful Integration for WooCommerce Plugin <= 2.2.2 is vulnerable to Broken Access Control No patched version is available. No reply from the vendor. Lana Codes discovered and reported this Broken Access Control vulnerability in WordPress Printful Integration for WooCommerce Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has not been known to be fixed yet.
Affected versions: max 2.2.3.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2022-47168
Home page URL: Security reports for Printful Integration for WooCommerce
Application: Printful Integration for WooCommerce
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in Printful Printful Integration for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printful Integration for WooCommerce: from n/a through 2.2.3.
Affected versions: max 2.2.3.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2025-12375
Home page URL: Security reports for Printful Integration for WooCommerce
Application: Printful Integration for WooCommerce
Date: Feb 19, 2026
Research Description: The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Affected versions: max 2.2.12.
Status: vulnerable