A missing authorization check in the WooCommerce PDF Invoice Builder plugin allows an attacker who can access the site’s invoice generation URLs to download PDF invoices without proper authentication. The flaw resides in incorrectly configured access control security levels, reducing the confidentiality of customer order information. The vulnerability is classified as CWE-862 and can potentially expose sensitive payment and customer data to non‑privileged users.

The flaw affects all installations of the WooCommerce PDF Invoice Builder plugin by Edgar Rojas, from the earliest release through version 1.2.150. Users running any of these versions are susceptible if the plugin is enabled and accessible via the WordPress admin or frontend interface.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an unauthenticated user can request the invoice URLs exposed by the plugin, as the access control check is missing. An attacker does not need elevated privileges, and therefore the scope of impact may extend to all customers whose invoices are generated through the plugin.