Description
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated users with Subscriber or higher permissions can alter Peppol/EDI endpoint identifiers for any order, potentially redirecting invoices and disrupting payment flows
Action: Update Plugin
AI Analysis

Impact

The PDF Invoices & Packing Slips for WooCommerce plugin contains an insecure direct object reference in the AJAX action wpo_ips_edi_save_order_customer_peppol_identifiers. The code performs no capability checks or order ownership validation, allowing an authenticated user with relatively low privileges to supply any order identifier and modify the peppol_endpoint_id and peppol_endpoint_eas fields. This can reroute invoices to unintended parties, lead to payment delays or losses, and expose confidential customer data. The flaw aligns with the missing authorization weakness (CWE‑862).

Affected Systems

All WordPress sites that have installed the PDF Invoices & Packing Slips for WooCommerce plugin version 5.6.0 or earlier are vulnerable. The vulnerability affects any running instance where the Peppol invoicing feature is enabled, regardless of other security configurations. Sites that have upgraded beyond 5.6.0 are not impacted by the known issue.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the immediate future. The flaw is not listed in CISA’s KEV catalog. Exploitation requires a legitimate user account with at least Subscriber permissions and the ability to call the affected AJAX endpoint with a crafted order ID. Successful manipulation could alter invoice routing on the Peppol network, compromising integrity and confidentiality of transaction data.

Generated by OpenCVE AI on April 16, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of PDF Invoices & Packing Slips for WooCommerce (5.6.1 or newer) where proper authorization checks for the AJAX endpoint have been implemented.
  • Restrict Peppol/EDI editing capabilities to Administrator (and necessary business roles) by removing the relevant capabilities from Subscriber and Contributor roles.
  • Implement an additional ownership check in the wpo_ips_edi_save_order_customer_peppol_identifiers action so that a user can modify only orders that belong to them.
  • Regularly audit the peppol_endpoint_id and peppol_endpoint_eas fields and monitor WordPress logs for suspicious calls to the wpo_ips_edi_save_order_customer_peppol_identifiers endpoint.

Generated by OpenCVE AI on April 16, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpovernight
Wpovernight pdf Invoices & Packing Slips For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpovernight
Wpovernight pdf Invoices & Packing Slips For Woocommerce

Wed, 18 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
Title PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpovernight Pdf Invoices & Packing Slips For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:19.177Z

Reserved: 2026-02-04T15:19:56.700Z

Link: CVE-2026-1906

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:18.983Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T06:16:34.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:45:15Z

Weaknesses