Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.
Published: 2025-03-03
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Helloprint plugin contains a Path Traversal flaw (CWE‑22) that lets an attacker delete arbitrary files on the server. By manipulating a file path, the vulnerable code can operate outside the intended directory, causing loss of critical WordPress files, configuration data, or any file the web server can access, potentially leading to site downtime or collateral damage. Based on the description, it is inferred that such path manipulations are possible.

Affected Systems

WordPress sites running the Helloprint plugin up to and including version 2.0.7. The vulnerability applies to all releases from the earliest available version through 2.0.7, as the plugin name is simply "helloprint."

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while an EPSS score of less than 1% suggests exploitation is currently rare, and the issue is not listed in the CISA KEV catalog. The typical attack path involves a crafted request that provides a path containing traversal sequences (e.g., "../") to the plugin, which then executes a file deletion operation. Based on the description, it is inferred that this path traversal is the method of exploitation. The flaw can be triggered by any user with access to the vulnerable endpoint, so authentication is not a strict prerequisite, making the vulnerability effectively publicly exploitable when the plugin is present. Based on the description, it is inferred that authentication may not be required for exploitation.

Generated by OpenCVE AI on May 2, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Helloprint plugin to the latest version that removes the Path Traversal flaw.
  • If an upgrade is not immediately possible, fully disable or remove the Helloprint plugin from the WordPress installation until a patched version is available.
  • Restrict file system permissions on the WordPress file hierarchy to prevent deletion of critical files, ensuring that the web server process runs with the least privileges required.

Generated by OpenCVE AI on May 2, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5638 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Helloprint allows Path Traversal. This issue affects Helloprint: from n/a through 2.0.7.
Title WordPress Helloprint Plugin <= 2.0.7 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.701Z

Reserved: 2025-02-12T13:58:16.936Z

Link: CVE-2025-26540

cve-icon Vulnrichment

Updated: 2025-03-03T15:47:45.457Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:55.037

Modified: 2026-04-23T15:25:46.173

Link: CVE-2025-26540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:00:13Z

Weaknesses