CVE-2025-13666

Name of the Vulnerable Software and Affected Versions Helloprint plugin for WordPress versions up to and including 2.1.2

Description The Helloprint plugin for WordPress is subject to a missing authorization issue. The plugin registers a public REST API endpoint without verifying request authenticity. This allows unauthenticated attackers to modify WooCommerce order statuses. The vulnerable API endpoint is '/wp-json/helloprint/v1/complete order from helloprint callback', and it can be exploited by providing a valid order reference ID.

Recommendations Update the Helloprint plugin to a version later than 2.1.2.