The Helloprint plugin for WordPress, which connects WooCommerce stores to Helloprint's extensive catalog of customized print products, suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2025-13666. This vulnerability exists in all versions up to and including 2.1.2. The root cause is the registration of a public REST API endpoint (/wp-json/helloprint/v1/complete_order_from_helloprint_callback) that lacks proper authorization checks to verify the authenticity of incoming requests. As a result, unauthenticated attackers can invoke this endpoint by supplying a valid WooCommerce order reference ID and arbitrarily modify the status of orders. The vulnerability does not expose sensitive data (no confidentiality impact) nor does it cause denial of service (no availability impact), but it compromises the integrity of order data by allowing unauthorized status changes. This could lead to fraudulent order processing, confusion in order fulfillment, or manipulation of order workflows. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its attack surface. Although no known exploits have been reported in the wild as of now, the ease of exploitation and the widespread use of WooCommerce and Helloprint plugins make this a notable risk. The CVSS v3.1 base score is 5.3, indicating medium severity, with vector metrics AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability was reserved on November 25, 2025, and published on December 6, 2025, by Wordfence. No official patches have been linked yet, so mitigation currently relies on access control and monitoring.

The primary impact of CVE-2025-13666 is on the integrity of WooCommerce order data managed through the Helloprint plugin. Unauthorized modification of order statuses can disrupt business operations by causing incorrect order fulfillment, financial discrepancies, and customer dissatisfaction. Attackers could potentially mark orders as completed or canceled without legitimate authorization, leading to loss of revenue or logistical confusion. While confidentiality and availability remain unaffected, the integrity compromise can damage trust in the e-commerce platform and complicate audit trails. Organizations relying on Helloprint for print product integration may face operational disruptions and reputational harm if exploited. Given the plugin's integration with WooCommerce, a widely used e-commerce platform globally, the scope of affected systems is significant. The lack of authentication requirement and ease of exploitation increase the risk of automated or mass exploitation attempts. However, the absence of known exploits in the wild suggests limited active targeting so far, though this could change rapidly once exploit code is publicly available.

1. Immediately restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/helloprint/v1/complete_order_from_helloprint_callback. 2. Employ IP whitelisting or authentication mechanisms (e.g., OAuth, API keys) on the Helloprint plugin endpoints to ensure only authorized systems can invoke order status changes. 3. Monitor WooCommerce order status changes for unusual patterns or spikes that could indicate exploitation attempts. 4. Regularly audit plugin versions and update to the latest patched release once Helloprint provides a fix addressing this vulnerability. 5. If immediate patching is not possible, consider disabling the Helloprint plugin temporarily or limiting its functionality to prevent unauthorized API access. 6. Educate development and security teams about the risks of exposing REST API endpoints without proper authorization checks. 7. Review and harden WordPress REST API permissions across all plugins to prevent similar issues. 8. Implement comprehensive logging and alerting on order status modifications to detect and respond to suspicious activities promptly.