Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable shortcode requires contributor auth (PR:L); non-default config is a site precondition, not attacker complexity (AC:L); confidentiality impact is partial, limited to order document data (C:L).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.
AnalysisAI
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two conditions must both be true for exploitation to be possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the attack surface: network-reachable, low complexity once in position, but requiring at minimum contributor-level WordPress authentication and - critically - a non-default plugin configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor-level WordPress account on a store where the plugin's link access type is set to 'full' uses the generate_document_shortcode with an incremented or enumerated order ID belonging to another customer. The shortcode generates a permanent, session-free URL to that order's invoice PDF, which the attacker can then access directly from any browser without authentication, retrieving the victim customer's name, address, email, phone number, order totals, and payment details. |
| Remediation | An upstream fix has been committed to the plugin's Subversion repository (changeset 3590578 at https://plugins.trac.wordpress.org/changeset?reponame=&old=3590578%40woocommerce-pdf-invoices-packing-slips&new=3590578%40woocommerce-pdf-invoices-packing-slips); however, the specific released patched version number is not confirmed in the available data - site administrators should update to the latest available version via the WordPress plugin dashboard and verify the installed version exceeds 5.14.0 once a new release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43138
GHSA-wr2f-frvr-f8hg