CVE-2026-1906
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Tags
Description
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
Analysis
Authenticated attackers with Subscriber-level or higher access to WordPress sites running PDF Invoices & Packing Slips for WooCommerce through version 5.6.0 can modify Peppol/EDI endpoint identifiers for arbitrary orders due to missing authorization checks in the plugin's AJAX handler. This allows attackers to redirect invoices to different endpoints, potentially disrupting payment processing and exposing sensitive customer data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Insecure Direct Object Refere and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today