Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable plugin endpoint requires only a low-privilege account; no integrity or availability impact; high confidentiality loss aligns with CWE-497 sensitive data retrieval.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce PDF Invoice Builder: from n/a through <= 2.0.8.
AnalysisAI
Sensitive system information exposure in the WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) enables authenticated low-privilege users to retrieve embedded sensitive data via network requests. Classified under CWE-497, the flaw allows an attacker with minimal WordPress credentials - such as a customer or subscriber account - to access system-level or configuration data that should be restricted to administrative contexts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum subscriber or customer-level privileges (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is driven by AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which accurately reflects a network-reachable, low-complexity flaw requiring only a low-privilege account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privilege customer account on a WooCommerce store running the vulnerable plugin, then crafts a network request - likely to a plugin AJAX handler or REST API endpoint - that triggers the sensitive data retrieval path. The plugin responds with embedded system information that the attacker can harvest for reconnaissance or further exploitation. … |
| Remediation | The primary remediation is to update the WooCommerce PDF Invoice Builder plugin beyond version 2.0.8; however, no specific patched release version was confirmed in the available intelligence data - users should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-2-0-8-sensitive-data-exposure-vulnerability for the latest available fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to SQL Injection via the pageId parameter in vers
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings
The WooCommerce PDF Invoice Builder for WordPress is vulnerable to unauthorized access of data due to a missing capabili
The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce che
The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to,
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43467