Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Stored XSS.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 4.6.0.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains an improper neutralization of input that allows stored Cross‑Site Scripting (XSS). When an attacker supplies malicious data via the invoice builder’s form fields, the payload is saved and later rendered in the browser of any user who views the invoice. This can lead to session hijacking, cookie theft, defacement, or execution of arbitrary client‑side code in the context of the victim’s browser. The vulnerability is a classic example of CWE‑79. The exploit requires injection of JavaScript into the stored content, which is then executed when the invoice is displayed to users. Such impact undermines the confidentiality and integrity of user data and can facilitate broader attacks across the site.

Affected Systems

Add‑ons.org PDF Invoice Builder for WooCommerce, all WordPress installations running the plugin version 4.6.0 or older. Any site that has this plugin installed is potentially affected. Exact affected version information is limited to the maximum vulnerable release of 4.6.0; earlier versions are also impacted.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate risk to users who view invoices. The EPSS score of <1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vector requires that an attacker have access to the invoice creation or editing interface, typically via an authenticated user with administrative or vendor privileges. Once the malicious payload is stored, any user who opens the invoice will have the script executed in their browser. Knowledge of the exploit is limited and no public scripts are currently known.

Generated by OpenCVE AI on May 1, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PDF Invoice Builder for WooCommerce to the latest release that addresses the XSS flaw.
  • If a patch is not immediately available, restrict the ability to create or edit invoices to trusted administrators and apply input sanitization on the plugin’s form fields.
  • Deploy a site‑wide Content Security Policy that blocks inline scripts and restricts script sources to known, trusted origins.
  • Consider temporarily disabling or uninstalling the plugin until it can be updated.

Generated by OpenCVE AI on May 1, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3942 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoices for WooCommerce + Drag and Drop Template Builder allows Stored XSS. This issue affects PDF Invoices for WooCommerce + Drag and Drop Template Builder: from n/a through 4.6.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoices for WooCommerce + Drag and Drop Template Builder allows Stored XSS. This issue affects PDF Invoices for WooCommerce + Drag and Drop Template Builder: from n/a through 4.6.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Stored XSS.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 4.6.0.
Title WordPress PDF Invoices for WooCommerce plugin <= 4.6.0 - Cross Site Scripting (XSS) vulnerability WordPress PDF Invoice Builder for WooCommerce plugin <= 4.6.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoices for WooCommerce + Drag and Drop Template Builder allows Stored XSS. This issue affects PDF Invoices for WooCommerce + Drag and Drop Template Builder: from n/a through 4.6.0.
Title WordPress PDF Invoices for WooCommerce plugin <= 4.6.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.974Z

Reserved: 2025-01-23T14:53:08.866Z

Link: CVE-2025-24755

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:49.160

Modified: 2026-06-17T08:59:33.300

Link: CVE-2025-24755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')