Impact
The vulnerability is a PHP Object Injection flaw in the WooCommerce PDF Invoices & Packing Slips plugin versions before 5.9.0. An attacker can send crafted serialized data that the plugin deserializes, allowing them to instantiate arbitrary PHP objects and trigger code execution within the WordPress environment. This can lead to full compromise of the site, data exfiltration, or further lateral movement, representing a high confidentiality, integrity and availability impact under CWE-502.
Affected Systems
The affected software is the WordPress plugin WooCommerce PDF Invoices & Packing Slips maintained by WP Overnight. Any installation running a plugin version older than 5.9.0 is vulnerable; no specific version numbers are listed beyond that cutoff.
Risk and Exploitability
The CVSS score of 7.2 indicates a medium–high risk, while the EPSS score of <1% suggests exploitation is currently unlikely. The vulnerability is not included in CISA's KEV catalog. Likely attack vectors involve remote delivery of malicious serialized payloads through HTTP requests that the plugin processes during PDF generation. With appropriate permissions, an attacker could achieve remote code execution, as the flaw does not require privilege escalation beyond the web server’s context.
OpenCVE Enrichment