{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T16:36:32.211Z", "datePublished": "2025-12-06T05:49:27.167Z", "dateUpdated": "2026-04-08T16:50:54.147Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:54.147Z"}, "affected": [{"vendor": "helloprint", "product": "Plug your WooCommerce into the largest catalog of customized print products from Helloprint", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID."}], "title": "Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-05T17:34:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:12:08.392092Z", "id": "CVE-2025-13666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:12:19.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:12:08.392092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:12:14.783Z"}}], "cna": {"title": "Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "helloprint", "product": "Plug your WooCommerce into the largest catalog of customized print products from Helloprint", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:34:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48"}], "descriptions": [{"lang": "en", "value": "The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:54.147Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13666", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:54.147Z", "dateReserved": "2025-11-25T16:36:32.211Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:27.167Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID."}], "id": "CVE-2025-13666", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:52.267", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:39:45.860231+00:00", "value": {"mitigation_remediation": ["Update the Helloprint plugin to the latest version that implements proper authorization checks on the /complete_order_from_helloprint_callback endpoint", "If an immediate update is not possible, disable or restrict the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by adding an authentication requirement or blocking access via web\u2011application firewall rules", "Monitor WooCommerce order logs for unexpected status changes and verify that the endpoint no longer accepts unauthenticated requests"], "summary": {"action": "Apply patch", "impact": "Unauthorized modification of WooCommerce order status"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Helloprint WordPress plugin version 2.1.2 and all earlier releases. Users running any of those plugin versions on a WordPress site with WooCommerce enabled are susceptible.", "description_and_impact": "The Helloprint plugin for WordPress contains a missing authorization check on a public REST API endpoint. The endpoint /wp-json/helloprint/v1/complete_order_from_helloprint_callback allows any user, even unauthenticated, to provide a valid order reference ID and arbitrarily change the status of a WooCommerce order. The ability to modify order status without permission can lead to fraudulent transaction processing, revenue loss, or account manipulation.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, but the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness by sending unauthenticated HTTP requests to the vulnerable endpoint, bypassing any ownership or permission checks."}}}}, "created": "2025-12-08T09:39:28.037582+00:00", "updated": "2026-04-21T17:45:16.486673+00:00", "vendors": ["helloprint", "helloprint$PRODUCT$helloprint", "wordpress", "wordpress$PRODUCT$wordpress"]}