What is the CVSS score of CVE-2026-52704?

CVE-2026-52704 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of WooCommerce PDF Invoice Builder are affected by CVE-2026-52704?

The Edgar Rojas WooCommerce PDF Invoice Builder plugin (versions through 2.0.8) contains an unauthenticated remote code execution vulnerability that could allow attackers to fully compromise…

How to fix or mitigate CVE-2026-52704?

Within 24 hours: Audit all WordPress instances to identify installations of Edgar Rojas WooCommerce PDF Invoice Builder through version 2.0.8 and determine network exposure. Within 7 days: Either disable the plugin immediately if operationally feasible, or implement WAF rules to block requests to vulnerable endpoints and restrict WordPress admin access to known IP ranges. Within 30 days: Monitor vendor advisory channels for patch availability; if no update emerges within 30 days, migrate to an alternative PDF invoice generation plugin from an actively maintained vendor.

WooCommerce PDF Invoice Builder CVE-2026-52704

EUVD-2026-36720 CRITICAL

Code Injection (CWE-94)

2026-06-15 Patchstack

GHSA-p32f-9xm9-5fjr

Code Injection WordPress RCE Woocommerce Pdf Invoice Builder

10.0

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

10.0 CRITICAL

Unauthenticated network-reachable code injection in a WordPress plugin yields PR:N/UI:N/AC:L; RCE breaks out of the plugin sandbox into the host PHP process, justifying S:C with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 14:31 vuln.today

CVE Published

Jun 15, 2026 - 12:49 cve.org

CRITICAL 10.0

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.

This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

Articles & Coverage 1

News Critical RCE in WordPress WooCommerce PDF Invoice Builder Plugin - CVE-2026-52704 Jun 15, 2026

AnalysisAI

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Fingerprint WordPress plugin version

Delivery

Send crafted HTTP request to vulnerable endpoint

Exploit

Inject PHP code via Code Injection flaw

Execution

Execute arbitrary code as web server user

Persist

Drop webshell for persistence

Impact

Exfiltrate wp-config.php and pivot

Access

Fingerprint WordPress plugin version

Delivery

Send crafted HTTP request to vulnerable endpoint

Exploit

Inject PHP code via Code Injection flaw

Execution

Execute arbitrary code as web server user

Persist

Drop webshell for persistence

Impact

Exfiltrate wp-config.php and pivot

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site with the WooCommerce PDF Invoice Builder plugin installed and active at version 2.0.8 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability ranks as critical-priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a WordPress site running WooCommerce PDF Invoice Builder ≤2.0.8 via fingerprinting (plugin readme.txt or asset URLs), then sends a crafted HTTP request to a vulnerable plugin endpoint that injects PHP code or includes a remote/attacker-controlled file. The injected code executes as the web server user, giving the attacker a webshell, the ability to exfiltrate the wp-config.php database credentials, and a foothold to drop persistence such as malicious admin users or backdoored plugin files.
Remediation	Upgrade WooCommerce PDF Invoice Builder to a version newer than 2.0.8 as soon as the vendor publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-2-0-8-remote-code-execution-rce-vulnerability should be monitored for the exact patched version, as no fixed version was independently confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances to identify installations of Edgar Rojas WooCommerce PDF Invoice Builder through version 2.0.8 and determine network exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-52704 vulnerability details – vuln.today

Back

WooCommerce PDF Invoice Builder CVE-2026-52704

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code