Description
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
Published: 2026-06-15
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw in the WooCommerce PDF Invoices & Packing Slips plugin versions before 5.9.0. An attacker can send crafted serialized data that the plugin deserializes, allowing them to instantiate arbitrary PHP objects and trigger code execution within the WordPress environment. This can lead to full compromise of the site, data exfiltration, or further lateral movement, representing a high confidentiality, integrity and availability impact under CWE-502.

Affected Systems

The affected software is the WordPress plugin WooCommerce PDF Invoices & Packing Slips maintained by WP Overnight. Any installation running a plugin version older than 5.9.0 is vulnerable; no specific version numbers are listed beyond that cutoff.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium–high risk, while the EPSS score of <1% suggests exploitation is currently unlikely. The vulnerability is not included in CISA's KEV catalog. Likely attack vectors involve remote delivery of malicious serialized payloads through HTTP requests that the plugin processes during PDF generation. With appropriate permissions, an attacker could achieve remote code execution, as the flaw does not require privilege escalation beyond the web server’s context.

Generated by OpenCVE AI on June 17, 2026 at 23:02 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce PDF Invoices & Packing Slips Plugin to the latest available version (at least 5.9.0).


OpenCVE Recommended Actions

  • Upgrade the WooCommerce PDF Invoices & Packing Slips plugin to version 5.9.0 or newer.
  • Audit and remove any custom code that deserializes data related to PDF generation or implement strict validation if deserialization is unavoidable.
  • Restrict PDF generation endpoints to authenticated administrator roles and enforce role‑based access control to prevent unauthorized exploitation.

Generated by OpenCVE AI on June 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpovernight
Wpovernight woocommerce Pdf Invoices\& Packing Slips
Vendors & Products Wordpress
Wordpress wordpress
Wpovernight
Wpovernight woocommerce Pdf Invoices\& Packing Slips

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
Title WordPress WooCommerce PDF Invoices & Packing Slips plugin < 5.9.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wpovernight Woocommerce Pdf Invoices\& Packing Slips
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:48:49.748Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39472

cve-icon Vulnrichment

Updated: 2026-06-16T14:48:41.555Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:43.977

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:15:14Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data