Pdf Invoices Packing Slips For Woocommerce
Monthly
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.