CVE-2025-13773 Scanner

The Print Invoice & Delivery Notes for WooCommerce plugin is a widely used tool for WordPress websites, enabling e-commerce functionalities related to invoicing and delivery notes. This plugin is typically employed by online retailers and e-commerce platforms wishing to streamline their sales process by integrating invoice generation directly into their systems. It is beneficial for store owners who need to provide structured billing and shipping documents to their customers. Additionally, businesses operating on WooCommerce find the automation capabilities of this plugin crucial in reducing manual errors in transactional documentation. The plugin integrates seamlessly with WooCommerce, enabling retailers to customize the appearance of their invoices and delivery notes to match their brand's identity.

Remote Code Execution (RCE) vulnerabilities allow attackers to run arbitrary code on a vulnerable server. Such vulnerabilities are particularly dangerous as they can lead to system takeover, interception of transactions, or complete data breach if exploited. In the case of this plugin, the vulnerability is caused by missing security checks in the code, enabling attackers to execute untrusted commands remotely. An attacker doesn't need authenticated access to exploit this flaw, which amplifies the risk as anyone with network access can potentially trigger the attack. Addressing this vulnerability in the WooCommerce plugin is critical, as it ensures the protection of sensitive business and customer data.

The vulnerability in Print Invoice & Delivery Notes for WooCommerce stems from multiple issues within the plugin's codebase. The primary concern is the inadequate capability check for operations requiring high privileges, leading to unauthorized execution. The use of PHP within dompdf and non-sanitized inputs in template.php are exploited, allowing remote attackers to perform code execution. The vulnerable endpoint is associated with the delivery notes feature, where inputs are not properly validated before being processed. Attackers can exploit the flaw by crafting specific HTTP requests targeting the plugin's existing endpoints. The lack of proper security validations exposes this functionality to external malicious activity.

If successfully exploited, this vulnerability can result in severe consequences, including unauthorized server access and exploitation of trusted relationships established by the server. This level of compromise means threat actors can alter content, intercept transactions, or delete vital datasets. For businesses, such breaches can result in financial losses, legal liabilities, and reputational damage. It could also lead to regulatory issues if sensitive customer data were accessed or manipulated during the attack.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769
• https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes
• https://nvd.nist.gov/vuln/detail/CVE-2025-13773