Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Plug your WooCommerce into the largest catalog of customized print products from Helloprint by helloprint
CVE-2025-13666 (GCVE-0-2025-13666)
Vulnerability from nvd – Published: 2025-12-06 05:49 – Updated: 2026-04-08 16:50
VLAI?
Title
Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification
Summary
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| helloprint | Plug your WooCommerce into the largest catalog of customized print products from Helloprint |
Affected:
0 , ≤ 2.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T21:12:08.392092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T21:12:19.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Plug your WooCommerce into the largest catalog of customized print products from Helloprint",
"vendor": "helloprint",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:54.147Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T17:34:37.000Z",
"value": "Disclosed"
}
],
"title": "Helloprint \u003c= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13666",
"datePublished": "2025-12-06T05:49:27.167Z",
"dateReserved": "2025-11-25T16:36:32.211Z",
"dateUpdated": "2026-04-08T16:50:54.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50525 (GCVE-0-2024-50525)
Vulnerability from nvd – Published: 2024-11-04 13:44 – Updated: 2026-04-28 16:10
VLAI?
Title
WordPress Helloprint plugin <= 2.0.4 - Arbitrary File Upload vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through <= 2.0.4.
Severity ?
10 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| helloprint | Helloprint |
Affected:
0 , ≤ 2.0.4
(custom)
|
Date Public ?
2026-04-01 16:30
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:helloprint:helloprint:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "helloprint",
"vendor": "helloprint",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T15:30:18.996297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T15:32:30.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "helloprint",
"product": "Helloprint",
"vendor": "helloprint",
"versions": [
{
"changes": [
{
"at": "2.0.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "stealthcopter | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:59.590Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects Helloprint: from n/a through \u003c= 2.0.4.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through \u003c= 2.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:31.257Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-2-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "WordPress Helloprint plugin \u003c= 2.0.4 - Arbitrary File Upload vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-50525",
"datePublished": "2024-11-04T13:44:28.143Z",
"dateReserved": "2024-10-24T07:27:19.970Z",
"dateUpdated": "2026-04-28T16:10:31.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13666 (GCVE-0-2025-13666)
Vulnerability from cvelistv5 – Published: 2025-12-06 05:49 – Updated: 2026-04-08 16:50
VLAI?
Title
Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification
Summary
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| helloprint | Plug your WooCommerce into the largest catalog of customized print products from Helloprint |
Affected:
0 , ≤ 2.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T21:12:08.392092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T21:12:19.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Plug your WooCommerce into the largest catalog of customized print products from Helloprint",
"vendor": "helloprint",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:54.147Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T17:34:37.000Z",
"value": "Disclosed"
}
],
"title": "Helloprint \u003c= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13666",
"datePublished": "2025-12-06T05:49:27.167Z",
"dateReserved": "2025-11-25T16:36:32.211Z",
"dateUpdated": "2026-04-08T16:50:54.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50525 (GCVE-0-2024-50525)
Vulnerability from cvelistv5 – Published: 2024-11-04 13:44 – Updated: 2026-04-28 16:10
VLAI?
Title
WordPress Helloprint plugin <= 2.0.4 - Arbitrary File Upload vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through <= 2.0.4.
Severity ?
10 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| helloprint | Helloprint |
Affected:
0 , ≤ 2.0.4
(custom)
|
Date Public ?
2026-04-01 16:30
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:helloprint:helloprint:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "helloprint",
"vendor": "helloprint",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T15:30:18.996297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T15:32:30.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "helloprint",
"product": "Helloprint",
"vendor": "helloprint",
"versions": [
{
"changes": [
{
"at": "2.0.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "stealthcopter | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:59.590Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects Helloprint: from n/a through \u003c= 2.0.4.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through \u003c= 2.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:31.257Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-2-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "WordPress Helloprint plugin \u003c= 2.0.4 - Arbitrary File Upload vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-50525",
"datePublished": "2024-11-04T13:44:28.143Z",
"dateReserved": "2024-10-24T07:27:19.970Z",
"dateUpdated": "2026-04-28T16:10:31.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}