Impact
The Print Invoice & Delivery Notes for WooCommerce plugin contains an unauthenticated code injection flaw that maps to CWE‑94. A missing capability check in the WooCommerce_Delivery_Notes::update function, combined with enabled PHP execution in the Dompdf library and unescaped template variables, permits an attacker to embed arbitrary PHP code that is executed when a PDF is generated. This gives the attacker full control over the server, compromising confidentiality, integrity, and availability.
Affected Systems
Tyche Softwares develops the WooCommerce plugin. All releases of Print Invoice & Delivery Notes for WooCommerce up to and including version 5.8.0 are affected. The vulnerability resides in the WooCommerce_Delivery_Notes::update routine and relies on the plugin’s integration with Dompdf to interpret user input as PHP.
Risk and Exploitability
The CVSS score of 9.8 classifies this as a critical vulnerability, while the EPSS score of 3% indicates that the current likelihood of exploitation is low. Because no authentication is required, an attacker with network access to the WordPress site can send a crafted HTTP request to the exposed update endpoint and trigger arbitrary code execution. The flaw is not listed in the CISA KEV catalog; nevertheless, the severity and ease of exploitation make immediate remediation essential.
OpenCVE Enrichment