The vulnerability is a deserialization flaw (CWE-502) that allows an attacker to supply a crafted serialized data payload to the PDF Invoice Builder for WooCommerce plugin, which may result in PHP object injection and the execution of arbitrary code. The plugin deserializes data from the WooCommerce invoice process without ensuring it is safe, permitting an attacker to inject malicious PHP objects via crafted serialization. If successful, this can trigger the execution of arbitrary code on the host, effectively giving the attacker full control of the WordPress installation.

WordPress installations that use the add-ons.org PDF Invoice Builder for WooCommerce plugin in any version up to and including 6.5.0 are affected. This includes all sites that have the plugin activated and allow invoice generation through WooCommerce.

With a CVSS score of 8.8 the vulnerability is considered high severity, indicating that a successful exploitation would have significant impact. However, the EPSS value of less than 1% reflects a very low probability of immediate exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would involve normal plugin operations such as the generation of invoices or handling of user-supplied data, where a crafted serialized payload could be injected. Exploitation would require an attacker to be able to influence the serialized data that the plugin ingests, such as by compromising a privileged account or manipulating API requests.