The 3DPrint WordPress plugin (slug: 3dprint) has a High-severity vulnerability that affects versions up to, but not including, 3.5.6.9. Tracked as CVE-2022-3899, this issue can allow an attacker to trigger arbitrary file and directory deletion if they can trick an administrator into clicking a malicious link or taking a prompted action while logged in. The published CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attack Vectors

This vulnerability is a Cross-Site Request Forgery (CSRF) scenario: the attacker does not need to log in, but they do need user interaction from a privileged user (typically a site administrator).

Common business-realistic paths include phishing emails, direct messages, or ads that prompt an admin to click a link while already authenticated in WordPress. In practical terms, the “attack” may look like a routine request (e.g., “review this proof,” “confirm this setting,” or “view this report”) that quietly submits a forged request in the background.

Security Weakness

According to the vulnerability record, affected versions of 3DPrint are missing or incorrectly performing nonce validation on one of the plugin’s functions. Nonces are a standard WordPress control used to ensure that a sensitive action was intentionally initiated by an authorized user within the site.

When this validation is missing or incorrect, a third-party webpage can induce a logged-in administrator’s browser to submit a request that WordPress will accept as legitimate—enabling file and directory deletion without the admin meaning to approve it.

Remediation: Update 3DPrint to version 3.5.6.9 or newer (patched). For reference, see the published source entry from Wordfence: Wordfence vulnerability details.

Technical or Business Impacts

Operational disruption: Arbitrary deletion of files or directories can take a site partially or fully offline, break critical functionality (including customer journeys and lead capture), or force emergency restoration work.

Brand and revenue risk: Downtime and broken pages directly affect campaign performance, advertising efficiency, SEO visibility, and customer trust—especially if the site is used for product launches, partner programs, or high-traffic promotions.

Security and compliance exposure: While this CVE focuses on deletion, removing specific files can also weaken defenses (for example, by breaking security tooling, logging, or site integrity controls), increasing the likelihood or impact of follow-on incidents. Depending on your environment, outages and incident response activities may also trigger contractual or compliance reporting obligations.

Similar attacks (documented patterns and examples): CSRF is a well-known method for coercing authenticated users into executing unwanted actions. For non-vendor-specific examples and case studies of how CSRF is exploited in practice, see OWASP: CSRF and PortSwigger Web Security Academy: CSRF.