Skip to main content

WooCommerce PDF Invoices Plugin CVE-2026-49056

| EUVDEUVD-2026-36869 HIGH
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-pvhc-cw6m-9mp8
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint discloses customer PII; no integrity or availability impact, so C:H, I:N, A:N with PR:N and AC:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:41 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected component is the WebToffee-developed WordPress plugin (CPE cpe:2.3:a:webtoffee:woocommerce_pdf_invoices,_packing_slips,_delivery_notes_and_shipping_labels) that generates PDF invoices, packing slips, delivery notes and shipping labels for WooCommerce stores. These documents typically contain customer PII (names, billing/shipping addresses, email, phone numbers), order line items, totals, and sometimes tax identifiers. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) here most plausibly manifests as direct, unauthenticated access to generated PDFs or to plugin endpoints that return order/customer data without verifying the requester's capability or order ownership - a recurring weakness in WooCommerce document-generation plugins where predictable IDs, missing nonce checks, or missing capability checks expose stored documents over HTTP(S).

RemediationAI

Upstream fix availability is not independently confirmed from the supplied data; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/print-invoices-packing-slip-labels-for-woocommerce/vulnerability/wordpress-woocommerce-pdf-invoices-packing-slips-delivery-notes-and-shipping-labels-plugin-4-9-4-sensitive-data-exposure-vulnerability and the WebToffee plugin page on wordpress.org for the patched release (any version greater than 4.9.4) and upgrade immediately. Until an upgrade is applied, restrict access to the plugin's invoice/document endpoints at the web server or WAF layer (for example, deny anonymous requests to wp-admin/admin-ajax.php actions and any plugin-specific URLs that return PDFs or order data), enforce authentication on document downloads via a Patchstack/Wordfence virtual patch, and consider temporarily deactivating the plugin if customer-facing PDF generation is not business-critical - accepting the trade-off that order documents will not be auto-generated. Rotate or invalidate any predictable document URLs and review web/access logs for prior anomalous PDF or admin-ajax requests to assess potential past exposure.

Share

CVE-2026-49056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy