CVE-2025-26534 - Vulnerability Details

- WordPress Helloprint Plugin <= 2.0.7 - Arbitrary File Deletion vulnerability

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.

Published: 2025-03-03

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Elecronic path traversal flaw (CWE-22) in the Helloprint WordPress plugin allows an attacker to delete any file on the server that the web application can access. This leads to loss of critical data, disruption of site operations, and potential compromise of sensitive information stored on the server.

Affected Systems

The vulnerability affects the Helloprint plugin for WordPress, specifically all installed versions from the initial release through version 2.0.7. No specific build or platform constraints are listed, so any WordPress site running the plugin within this version range is potentially impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low as of this analysis, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves exploitation of the plugin’s file deletion functionality, which may require authenticated access or direct interaction with the plugin's control interface. Once executed, an attacker can delete arbitrary files, undermining availability and integrity of the affected WordPress installation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

helloprint

Helloprint

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Helloprint plugin to any version later than 2.0.7 that includes the path traversal fix.
Restrict file deletion capabilities to administrators only and disable or remove any publicly exposed deletion endpoints.
Configure web server access controls (e.g., .htaccess) to deny directory traversal requests to the plugin’s root path.
Enable a Web Application Firewall to block suspicious path traversal patterns targeting the plugin.

Generated by OpenCVE AI on May 1, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5611	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00296.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.
References	https://patchstack.com/database/wordpress/plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 03 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.
Title		WordPress Helloprint Plugin <= 2.0.7 - Arbitrary File Deletion vulnerability
Weaknesses		CWE-22
References		https://patchstack.com/database/wordpress/plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-03-03T13:30:27.779Z

Updated: 2026-04-28T16:11:37.810Z

Reserved: 2025-02-12T13:58:16.935Z

Link: CVE-2025-26534

Vulnrichment

Updated: 2025-03-03T15:49:31.324Z

NVD

Status : Deferred

Published: 2025-03-03T14:15:54.757

Modified: 2026-04-23T15:25:45.247

Link: CVE-2025-26534

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object