Skip to main content

WooCommerce PDF Invoices & Packing Slips CVE-2026-39472

| EUVD-2026-36936 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-jhg8-f96w-x397
PHP Deserialization WordPress Woocommerce Pdf Invoices Packing Slips
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable WordPress endpoint (AV:N), straightforward serialized payload (AC:L), requires Shop Manager account (PR:H), no victim interaction (UI:N); object injection typically yields full C/I/A impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 15, 2026 - 22:30 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.2

DescriptionCVE.org

Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.

AnalysisAI

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Shop Manager credentials
Delivery
Authenticate to WordPress admin
Exploit
Submit crafted serialized payload to plugin endpoint
Install
Trigger unsafe unserialize() call
C2
Execute POP gadget chain
Execute
Write webshell or execute PHP
Impact
Full site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with the WooCommerce 'Shop Manager' role (or higher) on a site running the WooCommerce PDF Invoices & Packing Slips plugin at a version below 5.9.0; the description explicitly scopes the bug to 'Shop manager' actions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high but bounded by the PR:H requirement: CVSS 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates network-reachable, low-complexity exploitation with high impact, but only by a user holding Shop Manager (high-privilege) credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Shop Manager credentials - through phishing, credential stuffing against a WooCommerce store, or insider abuse - submits a crafted serialized PHP payload to a vulnerable endpoint of the WooCommerce PDF Invoices & Packing Slips plugin. The plugin deserializes the input, triggering a POP gadget chain via WordPress/WooCommerce classes that results in arbitrary file write or code execution, allowing the attacker to plant a webshell and pivot to full site takeover. …
Remediation Vendor-released patch: upgrade the WooCommerce PDF Invoices & Packing Slips plugin to version 5.9.0 or later via the WordPress plugin dashboard or by replacing the plugin files from the official source, as documented in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woocommerce-pdf-invoices-packing-slips/vulnerability/wordpress-woocommerce-pdf-invoices-packing-slips-plugin-5-9-0-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Catalog all WordPress installations running WooCommerce PDF Invoices & Packing Slips and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39472 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy