CVE-2025-60083
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 6.5.0.
Analysis
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Technical Context
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), where the PDF Invoice Builder WordPress plugin fails to properly validate or sanitize serialized data before passing it to PHP's unserialize() function. PHP object injection occurs when untrusted data is deserialized, allowing attackers to instantiate arbitrary classes with controlled properties. In WordPress environments, this often leads to remote code execution by leveraging magic methods (__wakeup, __destruct, __toString) in existing classes to create exploit chains. The plugin processes WooCommerce invoice data, likely deserializing user-controllable input from database records or API parameters without proper input validation. Given this is a WordPress plugin vulnerability, the attack surface involves authenticated plugin functionality, potentially invoice customization features or data import mechanisms.
Affected Products
The vulnerability affects PDF Invoice Builder for WooCommerce plugin developed by add-ons.org, impacting all versions from initial release through version 6.5.0 inclusive. This WordPress plugin integrates with WooCommerce e-commerce platforms to generate customizable PDF invoices. Organizations running WordPress sites with WooCommerce stores using this plugin for invoice generation, packing slips, or delivery notes should consider themselves affected. The vendor advisory and technical details are available through Patchstack's vulnerability database at https://patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoice-builder-for-woocommerce-plugin-6-3-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve, which provides additional context on the object injection mechanism.
Remediation
Upgrade PDF Invoice Builder for WooCommerce plugin to version 6.5.1 or later if available, verifying the vendor has addressed the deserialization vulnerability through input validation improvements or removal of unsafe unserialize() calls. Check the official WordPress plugin repository or add-ons.org vendor site for the latest patched release. As an interim mitigation, restrict plugin access to only highly trusted administrator accounts, review user role capabilities to minimize low-privilege access to invoice customization features, and implement Web Application Firewall (WAF) rules to detect and block serialized PHP object patterns in POST parameters. Monitor WordPress access logs for suspicious invoice-related requests containing serialized data indicators (strings beginning with O: or a: followed by curly braces). Organizations unable to patch immediately should consider temporarily disabling the plugin if invoice generation functionality is non-critical, or implementing network segmentation to isolate WooCommerce administrative interfaces. Consult the Patchstack advisory for vendor-specific remediation guidance and validate patch effectiveness through testing in non-production environments before deployment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today