CVE-2025-13773 - Vulnerability Details

- Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

Published: 2025-12-24

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Print Invoice & Delivery Notes for WooCommerce plugin contains an unauthenticated code injection vulnerability due to a missing capability check in its update routine, PHP execution enabled inside the Dompdf library, and lack of escaping in its template. This flaw is a CWE-94 injection that allows an attacker to inject and execute arbitrary PHP code when a PDF is requested. Based on the description, the likely attack vector is an unauthenticated HTTP request to the update endpoint that triggers PDF generation.

Affected Systems

Tyche Softwares publishes the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. All releases up to and including 5.8.0 are affected; the vulnerability is present in the ‘update’ function of the plugin. The vendor has released newer versions that address the issue, but the CVE entry does not list a specific patched version.

Risk and Exploitability

The CVSS score of 9.8 marks this as a critical severity flaw, but the EPSS score of less than 1% indicates a very low probability of active exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, no special privileges are required; an attacker can trigger the code execution simply by sending the crafted request to the vulnerable endpoint. Thus, the risk is high if the plugin is present, but the practical exploit likelihood remains low without visible attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tychesoftwares

Print Invoice & Delivery Notes for WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.8.0

No data.

Vendor	Product	Confidence	Versions
Tychesoftwares	Print Invoice & Delivery Notes For Woocommerce	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Print Invoice & Delivery Notes for WooCommerce plugin to the latest version released by Tyche Softwares, which removes the capability check bug and disables PHP execution in the PDF generator.
If an upgrade cannot be performed immediately, permanently deactivate or uninstall the plugin to eliminate the attack surface.
As a temporary workaround, restrict the ‘update’ hook to users with the capability to edit plugin options or remove the hook altogether, ensuring that only authorized administrators can trigger PDF generation.

Generated by OpenCVE AI on April 21, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00445.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36
https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve

History

Wed, 24 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 24 Dec 2025 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tychesoftwares Tychesoftwares print Invoice & Delivery Notes For Woocommerce Wordpress Wordpress wordpress
Vendors & Products		Tychesoftwares Tychesoftwares print Invoice & Delivery Notes For Woocommerce Wordpress Wordpress wordpress

Wed, 24 Dec 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
Title		Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution
Weaknesses		CWE-94
References		https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36 https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Tychesoftwares Print Invoice & Delivery Notes For Woocommerce

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-24T04:32:56.262Z

Updated: 2026-04-08T17:29:46.005Z

Reserved: 2025-11-28T05:56:13.257Z

Link: CVE-2025-13773

Vulnrichment

Updated: 2025-12-24T14:17:01.836Z

NVD

Status : Deferred

Published: 2025-12-24T05:16:05.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13773

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object