Insecure Direct Object Reference in PDF Invoices & Packing Slips for WooCommerce by WordPress
CVE-2026-13116
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-13116?
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is susceptible to an Insecure Direct Object Reference, allowing authenticated attackers with contributor-level access or higher to generate public download links for third-party orders. This vulnerability arises from inadequate validation on a user-controlled key in the generate_document_shortcode function. As a result, sensitive information such as customer names, billing and shipping addresses, email addresses, phone numbers, and order details can be exposed if the Document link access type is set to 'full'. This risk highlights the importance of proper access controls and data validation in plugin configurations.
Affected Version(s)
PDF Invoices & Packing Slips for WooCommerce 0 <= 5.14.0