Description
Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to retrieve private invoice data from the WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin. This results in confidentiality loss of order details, customer addresses, and payment information. The weakness aligns with CWE-497, indicating improper authentication enforcement.

Affected Systems

Affected systems are sites running the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin version 4.9.4 or earlier. No specific sub‑versions are listed; all releases prior to 4.9.5 are impacted.

Risk and Exploitability

The CVSS base score of 7.5 reflects a high risk of data exposure. However, the EPSS score is below 1%, suggesting a low probability of exploitation at this stage, and the vulnerability is not currently listed in the CISA KEV catalog. The most probable exploitation path is through publicly accessible invoice URLs exposed by the plugin, which can be accessed without authentication.

Generated by OpenCVE AI on June 16, 2026 at 20:27 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels Plugin to the latest available version (at least 4.9.5).

OpenCVE Recommended Actions

  • Upgrade the plugin to version 4.9.5 or later to remove the vulnerability.
  • Block unauthenticated access to invoice, packing slip, and shipping label URLs using web‑application firewall rules or server‑side authentication checks.
  • Review server logs for any unauthorized attempts to retrieve invoice files and adjust access controls accordingly.

Generated by OpenCVE AI on June 16, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee woocommerce Pdf Invoices, Packing Slips, Delivery Notes And Shipping Labels
Wordpress
Wordpress wordpress
Vendors & Products Webtoffee
Webtoffee woocommerce Pdf Invoices, Packing Slips, Delivery Notes And Shipping Labels
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.
Title WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin <= 4.9.4 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Webtoffee Woocommerce Pdf Invoices, Packing Slips, Delivery Notes And Shipping Labels
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:20:36.581Z

Reserved: 2026-05-27T10:26:36.699Z

Link: CVE-2026-49056

cve-icon Vulnrichment

Updated: 2026-06-16T01:20:31.939Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:18.957

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere