Skip to main content

Helloprint WordPress Plugin CVE-2024-50525

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-11-04 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
CVE Published
Nov 04, 2024 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through <= 2.0.4.

AnalysisAI

Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).

Technical ContextAI

Helloprint is a WordPress plugin distributed via the WordPress plugin ecosystem (confirmed by CPE target 'wordpress'). The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to validate file extension, MIME type, or content against an allow-list, permitting executable PHP files to be written into a web-accessible directory. Once dropped, the PHP file is interpreted by the WordPress runtime, giving the attacker arbitrary code execution under the web server user. The scope-change (S:C) marker in the CVSS vector indicates the impact crosses the plugin's trust boundary into the broader WordPress host.

RemediationAI

Upgrade the Helloprint plugin to a version newer than 2.0.4 once the vendor publishes a fixed release; patch status from the provided data is best described as patch available per Patchstack advisory, but no independently confirmed fix version is in the input. Until a fixed version is installed, deactivate and remove the Helloprint plugin from any WordPress site that does not actively require it, as this fully eliminates the attack surface at the cost of losing plugin functionality. As compensating controls, restrict write permissions on wp-content/uploads and disable PHP execution within upload directories via a web server rule (e.g., an Apache .htaccess php_flag engine off or an nginx location block returning 403 for .php under uploads), which blocks web shell execution but may break legitimate plugins that rely on dynamic file generation. Place the site behind a WAF with WordPress file-upload signatures (Wordfence, Patchstack, Cloudflare managed rules) and monitor for unexpected .php, .phtml, or .phar files under wp-content/uploads.

Share

CVE-2024-50525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy