Skip to main content

Helloprint WordPress Plugin CVE-2025-26534

HIGH
Path Traversal (CWE-22)
2025-03-03 audit@patchstack.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:09 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 8.6

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.

AnalysisAI

Arbitrary file deletion in Helloprint WordPress plugin versions up to 2.0.7 allows remote unauthenticated attackers to delete critical files via path traversal, causing denial of service. CVSS 8.6 with Changed scope indicates impact beyond the vulnerable component. EPSS score of 0.19% (41st percentile) suggests low current exploitation probability. Reported by Patchstack audit team with technical details available in their vulnerability database.

Technical ContextAI

The vulnerability stems from CWE-22 (Path Traversal), where the plugin fails to properly sanitize or validate pathname input, allowing directory traversal sequences (e.g., '../') to escape intended file operation boundaries. The WordPress plugin architecture typically restricts file operations to specific directories (wp-content/plugins, uploads), but insufficient input validation permits attackers to construct paths referencing files outside these safe zones. The CVSS Changed scope (S:C) indicates the vulnerability can affect resources beyond the plugin's authorization scope, likely allowing deletion of WordPress core files, theme files, or other plugins' files-not just the Helloprint plugin's own assets. This represents a boundary violation where the vulnerable component (Helloprint plugin) can impact the confidentiality, integrity, or availability of other components (WordPress installation).

Affected ProductsAI

WordPress Helloprint plugin versions 2.0.7 and earlier are confirmed vulnerable per Patchstack analysis. The vulnerability report specifies version range 'from n/a through 2.0.7', indicating all released versions up to and including 2.0.7 contain the flaw. Affected installations are WordPress sites with Helloprint plugin active, regardless of WordPress core version. The plugin is developed by NotFound and available through the WordPress plugin repository. Patchstack vulnerability database entry available at https://patchstack.com/database/wordpress/plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability.

RemediationAI

Primary remediation is upgrading to Helloprint plugin version 2.0.8 or later if available-verify patched version at WordPress plugin repository or vendor site, as fixed version not independently confirmed in CVE data. If upgrade not immediately possible, deactivate and delete the Helloprint plugin until patched version confirmed available. Compensating controls include Web Application Firewall rules blocking requests with directory traversal patterns (../, ..\, URL-encoded variants %2e%2e%2f) to Helloprint plugin endpoints, though this may break legitimate plugin functionality if file operations are core features. Implement file integrity monitoring (FIM) on critical WordPress files (wp-config.php, .htaccess, index.php) to detect unauthorized deletion attempts-note this provides detection not prevention. Restrict WordPress file system permissions so web server user cannot delete core files outside wp-content/plugins/helloprint directory, reducing blast radius-however, standard WordPress hosting configurations may not permit granular permission changes without affecting site operations. Consult Patchstack advisory at provided URL for vendor-specific guidance and confirmed fix version.

Share

CVE-2025-26534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy