Insecure Direct Object Reference in PDF Invoices & Packing Slips for WooCommerce by WordPress
CVE-2026-13116

4.3MEDIUM

What is CVE-2026-13116?

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is susceptible to an Insecure Direct Object Reference, allowing authenticated attackers with contributor-level access or higher to generate public download links for third-party orders. This vulnerability arises from inadequate validation on a user-controlled key in the generate_document_shortcode function. As a result, sensitive information such as customer names, billing and shipping addresses, email addresses, phone numbers, and order details can be exposed if the Document link access type is set to 'full'. This risk highlights the importance of proper access controls and data validation in plugin configurations.

Affected Version(s)

PDF Invoices & Packing Slips for WooCommerce 0 <= 5.14.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
.