Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress plugin endpoint discloses customer PII; no integrity or availability impact, so C:H, I:N, A:N with PR:N and AC:L.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected component is the WebToffee-developed WordPress plugin (CPE cpe:2.3:a:webtoffee:woocommerce_pdf_invoices,_packing_slips,_delivery_notes_and_shipping_labels) that generates PDF invoices, packing slips, delivery notes and shipping labels for WooCommerce stores. These documents typically contain customer PII (names, billing/shipping addresses, email, phone numbers), order line items, totals, and sometimes tax identifiers. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) here most plausibly manifests as direct, unauthenticated access to generated PDFs or to plugin endpoints that return order/customer data without verifying the requester's capability or order ownership - a recurring weakness in WooCommerce document-generation plugins where predictable IDs, missing nonce checks, or missing capability checks expose stored documents over HTTP(S).
RemediationAI
Upstream fix availability is not independently confirmed from the supplied data; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/print-invoices-packing-slip-labels-for-woocommerce/vulnerability/wordpress-woocommerce-pdf-invoices-packing-slips-delivery-notes-and-shipping-labels-plugin-4-9-4-sensitive-data-exposure-vulnerability and the WebToffee plugin page on wordpress.org for the patched release (any version greater than 4.9.4) and upgrade immediately. Until an upgrade is applied, restrict access to the plugin's invoice/document endpoints at the web server or WAF layer (for example, deny anonymous requests to wp-admin/admin-ajax.php actions and any plugin-specific URLs that return PDFs or order data), enforce authentication on document downloads via a Patchstack/Wordfence virtual patch, and consider temporarily deactivating the plugin if customer-facing PDF generation is not business-critical - accepting the trade-off that order documents will not be auto-generated. Rotate or invalidate any predictable document URLs and review web/access logs for prior anomalous PDF or admin-ajax requests to assess potential past exposure.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee WooComme
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to St
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to un
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36869
GHSA-pvhc-cw6m-9mp8