CVE-2025-13666
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13666
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce woocommerce *
helloprint wordpress_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include: 1. Update the HelloPrint plugin to a version later than 2.1.2 if available, where authorization checks are implemented. 2. If an update is not available, restrict access to the vulnerable REST API endpoint by implementing authentication or IP restrictions via web server configuration or security plugins. 3. Use a Web Application Firewall (WAF) to block unauthenticated requests to `/wp-json/helloprint/v1/complete_order_from_helloprint_callback`. 4. Monitor WooCommerce orders for unauthorized status changes and audit logs for suspicious activity. 5. Disable or remove the HelloPrint plugin temporarily if mitigation is not possible until a patch is applied. These steps help prevent unauthenticated attackers from exploiting the missing authorization on the REST API endpoint. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP requests to the REST API endpoint `/wp-json/helloprint/v1/complete_order_from_helloprint_callback`. You can use network monitoring tools or web server logs to identify such requests. For example, using command line tools like `curl` to test the endpoint or `grep` to search web server logs for access to this endpoint. Example commands: 1. To check web server logs for access to the vulnerable endpoint: `grep '/wp-json/helloprint/v1/complete_order_from_helloprint_callback' /var/log/apache2/access.log` (adjust path as needed). 2. To test the endpoint manually (replace with actual orderReferenceId): `curl -X POST https://yourdomain.com/wp-json/helloprint/v1/complete_order_from_helloprint_callback -d '{"orderReferenceId":"test"}' -H 'Content-Type: application/json'` 3. Use intrusion detection systems or web application firewalls to alert on unauthenticated POST or GET requests to this endpoint. Additionally, review WooCommerce order metadata for unexpected changes in order statuses that could indicate exploitation. [2, 3]

Executive Summary

The Helloprint plugin for WordPress has a vulnerability called Missing Authorization in versions up to 2.1.2. This happens because the plugin exposes a public REST API endpoint without checking if the request is authorized. As a result, attackers who are not logged in can use this endpoint to change WooCommerce order statuses by providing a valid order reference ID.

Impact Analysis

This vulnerability allows unauthenticated attackers to arbitrarily modify the status of WooCommerce orders. This could lead to unauthorized changes in order processing, potentially causing business disruption, financial loss, or customer dissatisfaction.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart