Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.

This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
Published: 2026-06-15
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of code generation that permits an attacker to inject and run arbitrary PHP code during the creation of PDF invoices by the WooCommerce PDF Invoice Builder plugin. This flaw, identified as CWE‑94, means that any user who can influence the invoice generation process could deliver malicious payloads that execute with the permissions of the WordPress process, allowing complete control over the affected website.

Affected Systems

Any WordPress site running the WooCommerce PDF Invoice Builder plugin version 2.0.8 or earlier. The plugin, maintained by Edgar Rojas, is widely deployed to generate order invoices, and every release through 2.0.8 lacks the fix.

Risk and Exploitability

The CVSS score of 10 signals critical severity, while the EPSS score is currently unavailable, preventing a precise exploitation probability assessment. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector likely involves initiating PDF generation with crafted input, requiring the ability to create or edit invoices; once executed, injected code runs with WordPress process privileges, potentially compromising the entire site.

Generated by OpenCVE AI on June 16, 2026 at 02:29 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce PDF Invoice Builder Plugin to the latest available version (at least 2.0.9).

OpenCVE Recommended Actions

  • Update the WooCommerce PDF Invoice Builder plugin to version 2.0.9 or later, which contains the official fix.
  • If an upgrade is not immediately possible, deactivate the plugin or disable PDF generation features to block exploitation.
  • Restrict access to order management and invoice creation to trusted administrators only, reducing the chance that unauthorized users can trigger the vulnerable functionality.
  • Monitor server logs for anomalous invoice generation requests or PHP execution errors, and alert on suspicious activity.

Generated by OpenCVE AI on June 16, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Edgarrojas
Edgarrojas woocommerce Pdf Invoice Builder
Wordpress
Wordpress wordpress
Vendors & Products Edgarrojas
Edgarrojas woocommerce Pdf Invoice Builder
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
Title WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Edgarrojas Woocommerce Pdf Invoice Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T15:54:11.621Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52704

cve-icon Vulnrichment

Updated: 2026-06-15T15:54:07.232Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:36.380

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-52704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:30:14Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')