Description
Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.8.0.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to invoice and delivery note documents
Action: Update Plugin
AI Analysis

Impact

The vulnerability is a missing authorisation check that allows an attacker to bypass access controls for the Print Invoice & Delivery Notes for WooCommerce plugin. The flaw enables unauthenticated or insufficiently privileged users to view or download invoices and delivery notes that should be restricted to the site owner or legitimate buyers. This results in the disclosure of potentially sensitive financial information.

Affected Systems

Tychesoftwares Print Invoice & Delivery Notes for WooCommerce, version 5.8.0 and earlier.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity, and an EPSS score below 1%, showing a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers can exploit the issue by accessing the plugin’s public endpoints or API calls that expose invoice PDFs without verifying the requester’s identity. The plugin’s default configuration presents the attack surface, so any WordPress site running the affected plugin version is potentially vulnerable.

Generated by OpenCVE AI on April 15, 2026 at 23:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied patch or upgrade the plugin to version 5.8.1 or later where the access control issue is resolved.
  • If upgrading is not immediately possible, restrict the plugin’s visibility by setting role‑based access controls within WordPress so that only administrators or privileged users can call the invoice generation endpoints.
  • Monitor web server and application logs for repeated access attempts to the invoice or delivery note URLs and block or rate‑limit suspicious IP addresses.

Generated by OpenCVE AI on April 15, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tychesoftwares
Tychesoftwares print Invoice & Delivery Notes For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tychesoftwares
Tychesoftwares print Invoice & Delivery Notes For Woocommerce
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.8.0.
Title WordPress Print Invoice & Delivery Notes for WooCommerce plugin <= 5.8.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Tychesoftwares Print Invoice & Delivery Notes For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:32.211Z

Reserved: 2026-01-28T09:50:05.802Z

Link: CVE-2026-24946

cve-icon Vulnrichment

Updated: 2026-02-23T20:56:07.544Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:39.023

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses