CVE-2025-26540
Published: 03 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-26540 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the Helloprint WordPress plugin. This issue affects Helloprint versions from unknown initial release through 2.0.7. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables path traversal, leading to arbitrary file deletion and resulting in a high-impact denial of service (DoS) due to the changed scope (S:C), with no direct confidentiality or integrity violations.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/helloprint/vulnerability/wordpress-helloprint-plugin-2-0-7-arbitrary-file-deletion-vulnerability-2?_s_id=cve details this as an arbitrary file deletion vulnerability specifically in Helloprint plugin version 2.0.7. Practitioners should review the advisory for mitigation steps, such as updating to a non-vulnerable version beyond 2.0.7 or applying recommended workarounds.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote exploitation of the application (T1190) and arbitrary file deletion to destroy data and cause DoS (T1485).