Description
Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through <= 6.0.13.
Published: 2025-09-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a classic Cross‑Site Request Forgery (CSRF) condition that allows an attacker to trigger the Flexible PDF Invoices module to create or modify invoices without the victim’s consent. A malicious site could craft a forged request that, when executed by a logged‑in administrator or shop manager, would generate invoices, potentially leading to spoofed billing records or unauthorized exploitation of the invoicing logic.

Affected Systems

The vulnerable component is the wpdesk Flexible PDF Invoices for WooCommerce & WordPress plugin, versions up through 6.0.13. Any WordPress installation running these releases is at risk when the plugin is enabled.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity for the impact on application integrity. The EPSS score of less than 1% reflects a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploitation. Based on the description it is inferred that the exploit requires a victim who is authenticated to the site, exposing the vulnerability to browsers that automatically attach the session cookie to forged requests sent from a third‑party site.

Generated by OpenCVE AI on April 30, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flexible PDF Invoices for WooCommerce & WordPress to version 6.0.14 or later, which removes the CSRF flaw.
  • Disable the invoice generation feature for users who do not need this capability or limit it to a restricted role set.
  • Add or ensure strict capability checks and token validation on all actions that create or modify invoices.

Generated by OpenCVE AI on April 30, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30661 Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through 6.0.13.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through <= 6.0.13. Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through <= 6.0.13.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through 6.0.13. Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through <= 6.0.13.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Thu, 25 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpdesk
Wpdesk flexible Pdf Invoices
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpdesk
Wpdesk flexible Pdf Invoices

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through 6.0.13.
Title WordPress Flexible PDF Invoices for WooCommerce & WordPress Plugin <= 6.0.13 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wpdesk Flexible Pdf Invoices
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.798Z

Reserved: 2025-08-22T11:37:13.319Z

Link: CVE-2025-57977

cve-icon Vulnrichment

Updated: 2025-09-25T13:53:20.280Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:57.537

Modified: 2026-04-28T19:34:00.140

Link: CVE-2025-57977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses