This vulnerability represents a missing authorization flaw in the WooCommerce PDF Invoices & Packing Slips plugin. The bug allows users to request invoices and packing slips that they are not authorized to view. The result is a confidentiality breach, exposing payment and order details that should remain hidden from non‑authorized personnel. The weakness is categorised as CWE‑862, a common broken access control issue.

The affected product is the WP Overnight WooCommerce PDF Invoices & Packing Slips plugin, specifically all releases from the earliest available version up through 4.9.1. Users running any version of the plugin at or below 4.9.1 are impacted.

The CVSS score of 4.3 indicates low overall severity, and the EPSS score of less than 1% shows that the probability of exploitation is very low. The vulnerability is not listed in CISA’s KEV catalog, further reducing the confidence that it is actively exploited. Based on the description, the likely attack vector involves an authenticated user or one with access to the e‑commerce site who can supply a request for an invoice belonging to another user, thereby bypassing normal access controls. Although exploitation would primarily reveal data rather than compromise system integrity or availability, any exposed financial information can have business and regulatory repercussions.