CVE-2025-13666
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13666, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: Wordfence

Description

The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-07-06
AI Q&A
2025-12-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce woocommerce *
helloprint wordpress_plugin *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Helloprint plugin for WordPress has a vulnerability called Missing Authorization in versions up to 2.1.2. This happens because the plugin exposes a public REST API endpoint without checking if the request is authorized. As a result, attackers who are not logged in can use this endpoint to change WooCommerce order statuses by providing a valid order reference ID.

Impact Analysis

This vulnerability allows unauthenticated attackers to arbitrarily modify the status of WooCommerce orders. This could lead to unauthorized changes in order processing, potentially causing business disruption, financial loss, or customer dissatisfaction.

Mitigation Strategies

Immediate mitigation steps include: 1. Update the HelloPrint plugin to a version later than 2.1.2 if available, where authorization checks are implemented. 2. If an update is not available, restrict access to the vulnerable REST API endpoint by implementing authentication or IP restrictions via web server configuration or security plugins. 3. Use a Web Application Firewall (WAF) to block unauthenticated requests to `/wp-json/helloprint/v1/complete_order_from_helloprint_callback`. 4. Monitor WooCommerce orders for unauthorized status changes and audit logs for suspicious activity. 5. Disable or remove the HelloPrint plugin temporarily if mitigation is not possible until a patch is applied. These steps help prevent unauthenticated attackers from exploiting the missing authorization on the REST API endpoint. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP requests to the REST API endpoint `/wp-json/helloprint/v1/complete_order_from_helloprint_callback`. You can use network monitoring tools or web server logs to identify such requests. For example, using command line tools like `curl` to test the endpoint or `grep` to search web server logs for access to this endpoint. Example commands: 1. To check web server logs for access to the vulnerable endpoint: `grep '/wp-json/helloprint/v1/complete_order_from_helloprint_callback' /var/log/apache2/access.log` (adjust path as needed). 2. To test the endpoint manually (replace with actual orderReferenceId): `curl -X POST https://yourdomain.com/wp-json/helloprint/v1/complete_order_from_helloprint_callback -d '{"orderReferenceId":"test"}' -H 'Content-Type: application/json'` 3. Use intrusion detection systems or web application firewalls to alert on unauthenticated POST or GET requests to this endpoint. Additionally, review WooCommerce order metadata for unexpected changes in order statuses that could indicate exploitation. [2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart