Skip to main content

Helloprint WordPress Plugin CVE-2025-26540

HIGH
Path Traversal (CWE-22)
2025-03-03 audit@patchstack.com
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:08 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.7

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.

AnalysisAI

Arbitrary file deletion in Helloprint WordPress plugin (versions up to 2.0.7) allows authenticated attackers with low privileges to delete critical system files via path traversal, potentially causing complete site unavailability. The CVSS 7.7 score reflects the Changed scope and High availability impact - an attacker can traverse directories to target files outside the plugin's intended boundary, triggering denial of service. EPSS score of 0.18% (40th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-22 (Path Traversal / Directory Traversal) in the Helloprint WordPress plugin, which integrates print-on-demand services. Path traversal occurs when user-controlled input containing directory traversal sequences (like '../') is not properly sanitized before being used in file system operations. In this case, the vulnerability manifests as arbitrary file deletion - an attacker can craft requests that escape the plugin's intended directory scope to delete files anywhere the web server process has write permissions. The Changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin itself, consistent with file deletion capabilities that could target WordPress core files, configuration files, or other plugins. The low attack complexity (AC:L) and network attack vector (AV:N) with no user interaction (UI:N) make this exploitable through direct HTTP requests once authentication is obtained.

Affected ProductsAI

The vulnerability affects the Helloprint WordPress plugin by NotFound, specifically all versions from the initial release through version 2.0.7 inclusive. Helloprint is a print-on-demand integration plugin that allows WordPress/WooCommerce site owners to connect their stores with Helloprint's manufacturing and fulfillment services. According to Patchstack's vulnerability database (reference: https://patchstack.com/database/wordpress/plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability-2), version 2.0.7 is confirmed vulnerable. No specific CPE identifier was provided in the NVD data, but the product can be identified as WordPress plugin slug 'helloprint'. Site administrators running this plugin should verify their installed version through the WordPress admin dashboard under Plugins.

RemediationAI

Immediately update the Helloprint WordPress plugin to a version newer than 2.0.7 if the vendor has released a patched version - check the WordPress.org plugin repository or contact NotFound directly for the latest secure release. According to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability-2, Patchstack has documented the vulnerability details which typically indicates vendor notification has occurred, though the exact patched version number is not confirmed in available data. If no patch is available or updating is not immediately feasible, implement these compensating controls: (1) Deactivate and remove the Helloprint plugin if print-on-demand integration is not business-critical - this eliminates the attack surface entirely but disables the plugin's functionality; (2) Restrict WordPress user roles to only trusted administrators and eliminate subscriber/contributor accounts - this reduces the pool of potential PR:L attackers but impacts sites requiring user registration; (3) Implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences (../, ..\ encoded variants) targeting the plugin's endpoints, though this may cause false positives and requires careful tuning; (4) Enable comprehensive file integrity monitoring to detect unauthorized file deletions and allow rapid restoration from backups. Ensure daily off-site WordPress backups are in place to recover from successful exploitation.

Share

CVE-2025-26540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy