Volerion logoVolerion
Volerion logoVolerion

Helloprint WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Order Status Modification

Vulnerability

A vulnerability exists in the Helloprint plugin for WordPress, specifically in versions through 2.1.2. The issue arises from the plugin's public REST API endpoint, which lacks proper authorization checks. This flaw enables unauthenticated attackers to manipulate WooCommerce order statuses arbitrarily. The vulnerability can be exploited via the '/wp-json/helloprint/v1/complete_order_from_helloprint_callback' endpoint by supplying a valid order reference ID.

Impact

Exploitation of this vulnerability allows for unauthorized modification of WooCommerce order statuses, which could disrupt order management and fulfillment processes.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/helloprint/v1/complete_order_from_helloprint_callback' endpoint without authentication. Include a valid order reference ID in the request. The absence of authorization checks will permit the modification of the specified order's status, demonstrating the vulnerability's impact.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.

Added: Dec 6, 2025, 6:29 AM
Updated: Dec 6, 2025, 6:29 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
2.5
exploitability
9.3
remediation
0.0
relevance
1.4
threat
4.8
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.