Helloprint WordPress Plugin CVE-2024-50525
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through <= 2.0.4.
AnalysisAI
Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).
Technical ContextAI
Helloprint is a WordPress plugin distributed via the WordPress plugin ecosystem (confirmed by CPE target 'wordpress'). The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to validate file extension, MIME type, or content against an allow-list, permitting executable PHP files to be written into a web-accessible directory. Once dropped, the PHP file is interpreted by the WordPress runtime, giving the attacker arbitrary code execution under the web server user. The scope-change (S:C) marker in the CVSS vector indicates the impact crosses the plugin's trust boundary into the broader WordPress host.
RemediationAI
Upgrade the Helloprint plugin to a version newer than 2.0.4 once the vendor publishes a fixed release; patch status from the provided data is best described as patch available per Patchstack advisory, but no independently confirmed fix version is in the input. Until a fixed version is installed, deactivate and remove the Helloprint plugin from any WordPress site that does not actively require it, as this fully eliminates the attack surface at the cost of losing plugin functionality. As compensating controls, restrict write permissions on wp-content/uploads and disable PHP execution within upload directories via a web server rule (e.g., an Apache .htaccess php_flag engine off or an nginx location block returning 403 for .php under uploads), which blocks web shell execution but may break legitimate plugins that rely on dynamic file generation. Place the site behind a WAF with WordPress file-upload signatures (Wordfence, Patchstack, Cloudflare managed rules) and monitor for unexpected .php, .phtml, or .phar files under wp-content/uploads.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today