Skip to main content

WooCommerce PDF Invoices CVE-2026-13116

| EUVDEUVD-2026-43138 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-11 Wordfence GHSA-wr2f-frvr-f8hg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable shortcode requires contributor auth (PR:L); non-default config is a site precondition, not attacker complexity (AC:L); confidentiality impact is partial, limited to order document data (C:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:12 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 4.3

DescriptionCVE.org

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.

AnalysisAI

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress contributor
Delivery
invoke generate_document_shortcode with target order ID
Exploit
plugin generates session-free URL using order_key without ownership check
Execution
share or directly access permanent download link
Impact
retrieve third-party customer invoice containing PII and payment details

Vulnerability AssessmentAI

Exploitation Two conditions must both be true for exploitation to be possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the attack surface: network-reachable, low complexity once in position, but requiring at minimum contributor-level WordPress authentication and - critically - a non-default plugin configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor-level WordPress account on a store where the plugin's link access type is set to 'full' uses the generate_document_shortcode with an incremented or enumerated order ID belonging to another customer. The shortcode generates a permanent, session-free URL to that order's invoice PDF, which the attacker can then access directly from any browser without authentication, retrieving the victim customer's name, address, email, phone number, order totals, and payment details.
Remediation An upstream fix has been committed to the plugin's Subversion repository (changeset 3590578 at https://plugins.trac.wordpress.org/changeset?reponame=&old=3590578%40woocommerce-pdf-invoices-packing-slips&new=3590578%40woocommerce-pdf-invoices-packing-slips); however, the specific released patched version number is not confirmed in the available data - site administrators should update to the latest available version via the WordPress plugin dashboard and verify the installed version exceeds 5.14.0 once a new release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy