Skip to main content

WooCommerce PDF Invoice Builder EUVDEUVD-2026-43467

| CVE-2026-57393 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable plugin endpoint requires only a low-privilege account; no integrity or availability impact; high confidentiality loss aligns with CWE-497 sensitive data retrieval.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:27 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce PDF Invoice Builder: from n/a through <= 2.0.8.

AnalysisAI

Sensitive system information exposure in the WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) enables authenticated low-privilege users to retrieve embedded sensitive data via network requests. Classified under CWE-497, the flaw allows an attacker with minimal WordPress credentials - such as a customer or subscriber account - to access system-level or configuration data that should be restricted to administrative contexts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain low-privilege WooCommerce account
Delivery
Authenticate to WordPress site
Exploit
Send crafted request to vulnerable plugin endpoint
Execution
Plugin returns embedded sensitive system data
Impact
Harvest data for reconnaissance or further attack

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum subscriber or customer-level privileges (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven by AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which accurately reflects a network-reachable, low-complexity flaw requiring only a low-privilege account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privilege customer account on a WooCommerce store running the vulnerable plugin, then crafts a network request - likely to a plugin AJAX handler or REST API endpoint - that triggers the sensitive data retrieval path. The plugin responds with embedded system information that the attacker can harvest for reconnaissance or further exploitation. …
Remediation The primary remediation is to update the WooCommerce PDF Invoice Builder plugin beyond version 2.0.8; however, no specific patched release version was confirmed in the available intelligence data - users should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-2-0-8-sensitive-data-exposure-vulnerability for the latest available fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy