Platform
wordpress
Component
helloprint
Fixed in
2.0.8
CVE-2025-26540 describes an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability within the Helloprint WordPress plugin. This vulnerability allows attackers to potentially read arbitrary files on the server, leading to data exposure and potential system compromise. The vulnerability affects versions from 0.0.0 through 2.0.7, and a fix is available in version 2.0.8.
The primary impact of this vulnerability is the ability for an attacker to read arbitrary files on the server hosting the WordPress site. This could include sensitive configuration files, database credentials, source code, or other confidential data. Successful exploitation could lead to complete compromise of the web server and potentially the entire network if the server has access to other resources. While the vulnerability description doesn't explicitly mention it, a successful file read could reveal credentials used to access other systems, enabling lateral movement. The blast radius extends to any data accessible by the web server user account.
CVE-2025-26540 was publicly disclosed on March 3, 2025. As of this writing, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 7.7 indicates a high potential for exploitation if a suitable PoC becomes available.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Helloprint WordPress plugin to version 2.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the web server user account has minimal privileges and cannot access sensitive files outside of the webroot. Web Application Firewall (WAF) rules can be configured to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a non-public file via a path traversal request; the request should be denied.
Actualice el plugin Helloprint a la última versión disponible para mitigar la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones del plugin en el panel de administración de WordPress o a través del repositorio oficial de WordPress.org.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26540 is a Path Traversal vulnerability in the Helloprint WordPress plugin allowing attackers to read arbitrary files. It has a CVSS score of 7.7 and affects versions 0.0.0–2.0.7.
Yes, if your WordPress site uses the Helloprint plugin and is running version 0.0.0 through 2.0.7, you are affected by this vulnerability.
Upgrade the Helloprint WordPress plugin to version 2.0.8 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access permissions and WAF rules.
As of now, there is no evidence of active exploitation campaigns targeting CVE-2025-26540, but the high CVSS score warrants vigilance.
Refer to the Helloprint project's official website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-26540.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.