WP-Safety

PDF Invoices & Packing Slips for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips

Create, print & automatically email PDF or XML Invoices & PDF Packing Slips for WooCommerce orders.

300K active installs v5.8.2 PHP 7.4+ WP 4.4+ Updated Mar 3, 2026
invoicespacking-slipspdfublwoocommerce
88
A · Safe
CVEs total12
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is PDF Invoices & Packing Slips for WooCommerce Safe to Use in 2026?

Generally Safe

Score 88/100

PDF Invoices & Packing Slips for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The plugin "woocommerce-pdf-invoices-packing-slips" v5.8.2 exhibits a generally strong security posture with regard to input handling and access control within its static analysis. A very low percentage of SQL queries utilize prepared statements, and output escaping is nearly universally applied. Nonce and capability checks are present on most entry points, and there are no identified unprotected AJAX handlers or REST API routes. However, the presence of 3 unsanitized path flows in the taint analysis is a significant concern, even though they are not currently classified as critical or high severity. This indicates a potential for path traversal or other file system-related vulnerabilities if these flows are not carefully managed.

The plugin's vulnerability history is a more concerning aspect. With 12 known CVEs, and a history including high and medium severity issues such as Missing Authorization, SSRF, XSS, and SQL Injection, it suggests a recurring pattern of security flaws. While there are no currently unpatched vulnerabilities, the sheer number and types of past issues indicate a need for ongoing vigilance and rigorous security auditing. The last vulnerability recorded in 2026 is likely a typo and should be interpreted within the context of recent historical data, which is not provided. Overall, while the current version shows good development practices for basic security measures, the historical context and identified taint flows warrant caution.

Key Concerns

  • Taint flows with unsanitized paths
  • High severity historical vulnerabilities
  • Medium severity historical vulnerabilities
  • Large number of known CVEs
Vulnerabilities
12

PDF Invoices & Packing Slips for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2021
2021
3 CVEs in 2022
2022
1 CVE in 2023
2023
4 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
9

12 total CVEs

CVE-2026-1906medium · 4.3Missing Authorization

PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification

Feb 17, 2026 Patched in 5.7.0 (1d)
CVE-2025-67589medium · 4.3Missing Authorization

WooCommerce PDF Invoices & Packing Slips <= 4.9.1 - Missing Authorization

Dec 7, 2025 Patched in 5.0.0 (5d)
CVE-2024-50421medium · 5.3Missing Authorization

WooCommerce PDF Invoices & Packing Slips <= 3.8.6 - Missing Authorization

Oct 24, 2024 Patched in 3.8.7 (7d)
CVE-2024-3047high · 7.2Server-Side Request Forgery (SSRF)

PDF Invoices & Packing Slips for WooCommerce <= 3.8.0 - Unauthenticated Server-Side Request Forgery

Apr 24, 2024 Patched in 3.8.1 (9d)
CVE-2024-3045high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PDF Invoices & Packing Slips for WooCommerce <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting

Apr 24, 2024 Patched in 3.8.1 (9d)
CVE-2024-22147high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PDF Invoices & Packing Slips for WooCommerce <= 3.7.6 - Authenticated (Shop Manager+) SQL Injection

Jan 12, 2024 Patched in 3.7.7 (21d)
CVE-2022-47148medium · 4.3Cross-Site Request Forgery (CSRF)

WooCommerce PDF Invoices & Packing Slips <= 3.2.5 - Cross Site Request Forgery

Jan 27, 2023 Patched in 3.2.6 (361d)
CVE-2022-2537medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce PDF Invoices & Packing Slips 2.14.0 - 3.0.0 - Reflected Cross-Site Scripting

Aug 3, 2022 Patched in 3.0.1 (538d)
CVE-2022-2092medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce PDF Invoices & Packing Slips <= 2.15.0 - Reflected Cross-Site Scripting

Jun 16, 2022 Patched in 2.16.0 (586d)
WF-b96349da-e2b4-4b29-94b4-1039427bce8e-woocommerce-pdf-invoices-packing-slipsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce PDF Invoices & Packing Slips <= 2.14.5 - Cross-Site Scripting

Jun 7, 2022 Patched in 2.15 (595d)
CVE-2021-24991medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce PDF Invoices & Packing Slips <= 2.10.4 - Reflected Cross-Site Scripting via tab and section parameter

Dec 6, 2021 Patched in 2.10.5 (778d)
CVE-2017-18506medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce PDF Invoices & Packing Slips <= 2.0.12 - Cross-Site Scripting

Oct 2, 2017 Patched in 2.0.13 (2304d)
Code Analysis
Analyzed Mar 16, 2026

PDF Invoices & Packing Slips for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
59 prepared
Unescaped Output
34
1337 escaped
Nonce Checks
57
Capability Checks
10
File Operations
17
External Requests
4
Bundled Libraries
1

Bundled Libraries

dompdf

SQL Query Safety

97% prepared61 total queries

Output Escaping

98% escaped1371 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths
<Main> (includes\Main.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

PDF Invoices & Packing Slips for WooCommerce Attack Surface

Entry Points27
Unprotected0

AJAX Handlers 23

authwp_ajax_wpo_wcpdf_delete_documentincludes\Admin.php:68
authwp_ajax_wpo_wcpdf_regenerate_documentincludes\Admin.php:69
authwp_ajax_wpo_wcpdf_save_documentincludes\Admin.php:70
authwp_ajax_wpo_wcpdf_preview_formatted_numberincludes\Admin.php:71
authwp_ajax_wpo_ips_edi_save_order_customer_peppol_identifiersincludes\Admin.php:72
authwp_ajax_generate_wpo_wcpdfincludes\Main.php:32
noprivwp_ajax_generate_wpo_wcpdfincludes\Main.php:33
authwp_ajax_wpo_ips_get_refund_order_idsincludes\Main.php:34
noprivwp_ajax_wpo_ips_get_refund_order_idsincludes\Main.php:35
authwp_ajax_printed_wpo_wcpdfincludes\Main.php:38
authwp_ajax_wpo_wcpdf_debug_toolsincludes\Settings\SettingsDebug.php:35
authwp_ajax_wpo_wcpdf_danger_zone_toolsincludes\Settings\SettingsDebug.php:36
authwp_ajax_wpo_wcpdf_numbers_dataincludes\Settings\SettingsDebug.php:37
authwp_ajax_wpo_ips_plugin_reportincludes\Settings\SettingsDebug.php:39
authwp_ajax_wpo_ips_edi_save_taxesincludes\Settings\SettingsEDI.php:47
authwp_ajax_wpo_ips_edi_reload_tax_tableincludes\Settings\SettingsEDI.php:48
authwp_ajax_wpo_ips_edi_load_customer_order_identifiersincludes\Settings\SettingsEDI.php:49
authwp_ajax_wcpdf_get_country_statesincludes\Settings\SettingsGeneral.php:27
authwp_ajax_wpo_wcpdf_set_next_numberincludes\Settings.php:65
authwp_ajax_wpo_wcpdf_get_media_upload_setting_htmlincludes\Settings.php:68
authwp_ajax_wpo_wcpdf_previewincludes\Settings.php:79
authwp_ajax_wpo_wcpdf_preview_order_searchincludes\Settings.php:81
authwp_ajax_wpo_wcpdf_sync_addressincludes\Settings.php:96

REST API Routes 1

POST/wp-json/wpo-ips/v1/peppol-endpointedi\Peppol.php:646

Shortcodes 3

[wcpdf_download_invoice] includes\Frontend.php:39
[wcpdf_download_pdf] includes\Frontend.php:40
[wcpdf_document_link] includes\Frontend.php:41
WordPress Hooks 168
filterwoocommerce_account_menu_itemsedi\Peppol.php:33
actionrest_api_initedi\Peppol.php:34
actionwoocommerce_new_orderedi\Peppol.php:35
actiontemplate_redirectedi\Peppol.php:37
actionwoocommerce_account_peppol_endpointedi\Peppol.php:38
filterwoocommerce_checkout_fieldsedi\Peppol.php:43
filterwoocommerce_checkout_get_valueedi\Peppol.php:44
actionwoocommerce_after_checkout_validationedi\Peppol.php:45
actionwoocommerce_checkout_update_order_metaedi\Peppol.php:46
actionwoocommerce_set_additional_field_valueedi\Peppol.php:51
actionwoocommerce_store_api_checkout_order_processededi\Peppol.php:52
actionwp_enqueue_scriptsedi\Peppol.php:55
actionwoocommerce_admin_order_actions_endincludes\Admin.php:26
filtermanage_woocommerce_page_wc-orders_columnsincludes\Admin.php:29
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\Admin.php:30
filtermanage_woocommerce_page_wc-orders_sortable_columnsincludes\Admin.php:31
filterwoocommerce_shop_order_list_table_sortable_columnsincludes\Admin.php:32
filterwoocommerce_order_list_table_prepare_items_query_argsincludes\Admin.php:33
filtermanage_edit-shop_order_columnsincludes\Admin.php:35
actionmanage_shop_order_posts_custom_columnincludes\Admin.php:36
filtermanage_edit-shop_order_sortable_columnsincludes\Admin.php:37
actionpre_get_postsincludes\Admin.php:38
actionadd_meta_boxesincludes\Admin.php:41
filterrequestincludes\Admin.php:43
filterbulk_actions-edit-shop_orderincludes\Admin.php:45
filterbulk_actions-woocommerce_page_wc-ordersincludes\Admin.php:46
filterwoocommerce_order_table_search_query_meta_keysincludes\Admin.php:49
filterwoocommerce_shop_order_search_fieldsincludes\Admin.php:50
actionwoocommerce_process_shop_order_metaincludes\Admin.php:53
actionwoocommerce_process_shop_order_metaincludes\Admin.php:57
actionadmin_noticesincludes\Admin.php:59
actionadmin_noticesincludes\Admin.php:60
actioninitincludes\Admin.php:62
actionadmin_bar_menuincludes\Admin.php:65
actionwpo_wcpdf_document_actionsincludes\Admin.php:75
filterwoocommerce_rest_prepare_report_ordersincludes\Admin.php:78
filterwoocommerce_report_orders_export_columnsincludes\Admin.php:79
filterwoocommerce_report_orders_prepare_export_itemincludes\Admin.php:80
filterwpo_wcpdf_document_store_settingsincludes\Admin.php:1512
filterwoocommerce_new_order_email_allows_resendincludes\Admin.php:1550
filterredirect_post_locationincludes\Admin.php:1562
actionadmin_enqueue_scriptsincludes\Assets.php:24
filterscript_loader_tagincludes\Assets.php:25
actionwoocommerce_subscriptions_renewal_order_createdincludes\Compatibility\ThirdPartyPlugins.php:28
filterwcs_renewal_order_metaincludes\Compatibility\ThirdPartyPlugins.php:30
filterwcs_resubscribe_order_metaincludes\Compatibility\ThirdPartyPlugins.php:31
filterwc_subscriptions_renewal_order_dataincludes\Compatibility\ThirdPartyPlugins.php:33
filterwc_subscriptions_resubscribe_order_dataincludes\Compatibility\ThirdPartyPlugins.php:34
filterwpo_wcpdf_item_row_classincludes\Compatibility\ThirdPartyPlugins.php:39
filterwpo_wcpdf_item_row_classincludes\Compatibility\ThirdPartyPlugins.php:42
filterwpo_wcpdf_item_row_classincludes\Compatibility\ThirdPartyPlugins.php:45
filterwpo_wcpdf_item_row_classincludes\Compatibility\ThirdPartyPlugins.php:48
filterwpo_wcpdf_item_row_classincludes\Compatibility\ThirdPartyPlugins.php:51
filterwpo_wcpdf_wc_emailsincludes\Compatibility\ThirdPartyPlugins.php:55
actionwpo_wcpdf_before_htmlincludes\Compatibility\ThirdPartyPlugins.php:61
actionwpo_wcpdf_before_htmlincludes\Compatibility\ThirdPartyPlugins.php:66
actionwpo_wcpdf_after_htmlincludes\Compatibility\ThirdPartyPlugins.php:67
filterwoocommerce_hpos_admin_search_filtersincludes\Compatibility\ThirdPartyPlugins.php:70
filterwoocommerce_shop_order_list_table_prepare_items_query_argsincludes\Compatibility\ThirdPartyPlugins.php:71
filterwpo_ips_edi_cii_seller_dataincludes\Compatibility\ThirdPartyPlugins.php:74
filterwc_price_argsincludes\Compatibility\ThirdPartyPlugins.php:378
filterwoocommerce_order_item_nameincludes\Compatibility\ThirdPartyPlugins.php:402
actioninitincludes\Documents.php:39
actioninitincludes\Endpoint.php:27
actionquery_varsincludes\Endpoint.php:28
actionparse_requestincludes\Endpoint.php:29
filterwoocommerce_my_account_my_orders_actionsincludes\Frontend.php:31
actionwp_enqueue_scriptsincludes\Frontend.php:32
filterwoocommerce_api_order_responseincludes\Frontend.php:35
filterwoocommerce_rest_prepare_shop_order_objectincludes\Frontend.php:36
actionwoocommerce_set_additional_field_valueincludes\Frontend.php:50
actionwoocommerce_store_api_checkout_order_processedincludes\Frontend.php:51
filterwoocommerce_checkout_fieldsincludes\Frontend.php:54
filterwoocommerce_checkout_get_valueincludes\Frontend.php:55
actionwoocommerce_after_checkout_validationincludes\Frontend.php:56
actionwoocommerce_checkout_update_order_metaincludes\Frontend.php:57
actionwoocommerce_admin_order_data_after_billing_addressincludes\Frontend.php:59
actionwoocommerce_edit_account_formincludes\Frontend.php:63
filterwoocommerce_save_account_details_errorsincludes\Frontend.php:64
actionwoocommerce_save_account_detailsincludes\Frontend.php:65
filterwpo_wcpdf_document_store_settingsincludes\Frontend.php:305
actionadmin_initincludes\Install.php:24
actionadmin_initincludes\Install.php:76
filterwoocommerce_email_attachmentsincludes\Main.php:41
filterwpo_wcpdf_document_is_allowedincludes\Main.php:42
filterwp_mailincludes\Main.php:43
filterwpo_wcpdf_document_use_historical_settingsincludes\Main.php:53
filterwpo_wcpdf_get_htmlincludes\Main.php:56
actionwpo_wcpdf_after_dompdf_renderincludes\Main.php:57
filterwpo_wcpdf_pdf_filtersincludes\Main.php:58
filterwpo_wcpdf_html_filtersincludes\Main.php:59
actionwp_scheduled_deleteincludes\Main.php:62
actionwoocommerce_privacy_remove_order_personal_data_metaincludes\Main.php:66
actionwoocommerce_privacy_remove_order_personal_dataincludes\Main.php:67
filterwpo_wcpdf_document_is_allowedincludes\Main.php:68
actionwoocommerce_privacy_export_order_personal_data_metaincludes\Main.php:71
actionwpo_wcpdf_custom_stylesincludes\Main.php:74
filterwpo_wcpdf_template_custom_stylesincludes\Main.php:77
actionadmin_noticesincludes\Main.php:80
filterwoocommerce_webhook_topic_hooksincludes\Main.php:83
filterwoocommerce_valid_webhook_eventsincludes\Main.php:84
filterwoocommerce_webhook_topicsincludes\Main.php:85
actionwpo_wcpdf_save_documentincludes\Main.php:86
actionwpo_wcpdf_after_order_dataincludes\Main.php:89
actionwpo_wcpdf_delete_documentincludes\Main.php:91
actioninitincludes\Main.php:94
filterwcpdf_disable_deprecation_noticesincludes\Main.php:141
actionwpo_wcpdf_init_documentincludes\Main.php:165
actionwpo_wcpdf_init_documentincludes\Main.php:494
actionwpo_wcpdf_init_documentincludes\Main.php:500
actionwpo_wcpdf_init_documentincludes\Main.php:506
filterwpo_wcpdf_use_pathincludes\Main.php:526
actionaction_scheduler_ensure_recurring_actionsincludes\Semaphore.php:468
actionadmin_initincludes\Settings\SettingsDebug.php:27
actionadmin_initincludes\Settings\SettingsDebug.php:28
actionadmin_initincludes\Settings\SettingsDebug.php:29
actionwpo_wcpdf_settings_output_debugincludes\Settings\SettingsDebug.php:31
actionwpo_wcpdf_number_table_data_fetchincludes\Settings\SettingsDebug.php:32
actionwpo_wcpdf_check_unstable_version_dailyincludes\Settings\SettingsDebug.php:33
filterwoocommerce_order_data_store_cpt_get_orders_queryincludes\Settings\SettingsDebug.php:678
filterwpo_wcpdf_document_is_allowedincludes\Settings\SettingsDebug.php:719
actionadmin_noticesincludes\Settings\SettingsDebug.php:1392
actionadmin_initincludes\Settings\SettingsDocuments.php:22
actionwpo_wcpdf_settings_output_documentsincludes\Settings\SettingsDocuments.php:23
actionadmin_initincludes\Settings\SettingsEDI.php:40
actionwpo_wcpdf_settings_output_ediincludes\Settings\SettingsEDI.php:41
actionwoocommerce_order_after_calculate_totalsincludes\Settings\SettingsEDI.php:42
actionwoocommerce_checkout_order_processedincludes\Settings\SettingsEDI.php:43
filterpre_update_option_wpo_ips_edi_settingsincludes\Settings\SettingsEDI.php:44
actionadmin_initincludes\Settings\SettingsGeneral.php:24
actionwpo_wcpdf_settings_output_generalincludes\Settings\SettingsGeneral.php:25
actionwpo_wcpdf_before_settingsincludes\Settings\SettingsGeneral.php:26
actionadmin_noticesincludes\Settings\SettingsGeneral.php:30
actionwpo_wcpdf_before_settings_pageincludes\Settings\SettingsUpgrade.php:25
actionwpo_wcpdf_after_settings_pageincludes\Settings\SettingsUpgrade.php:26
actionwpo_wcpdf_schedule_extensions_license_cache_clearingincludes\Settings\SettingsUpgrade.php:27
actionadmin_menuincludes\Settings.php:56
filterplugin_row_metaincludes\Settings.php:59
filteroption_page_capability_wpo_wcpdf_general_settingsincludes\Settings.php:62
actionupdate_option_wpo_wcpdf_settings_generalincludes\Settings.php:71
actionupdate_option_wpo_wcpdf_settings_debugincludes\Settings.php:73
actioninitincludes\Settings.php:74
actionwpo_wcpdf_settings_output_generalincludes\Settings.php:76
actionwpo_wcpdf_schedule_yearly_reset_numbersincludes\Settings.php:84
actionwpo_wcpdf_init_documentsincludes\Settings.php:87
filterwpo_wcpdf_settings_fields_generalincludes\Settings.php:90
filterwpo_wcpdf_settings_fields_debugincludes\Settings.php:93
actionadmin_menuincludes\SetupWizard.php:29
actionadmin_initincludes\SetupWizard.php:31
filterqm/dispatch/htmlincludes\SetupWizard.php:196
filterwpo_ips_ink_saving_supported_templatestemplates\Simple\template-functions.php:8
filterwpo_ips_ink_saving_csstemplates\Simple\template-functions.php:13
actioninitwoocommerce-pdf-invoices-packingslips.php:80
actioninitwoocommerce-pdf-invoices-packingslips.php:81
actionbefore_woocommerce_initwoocommerce-pdf-invoices-packingslips.php:83
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:84
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:85
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:86
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:87
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:88
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:89
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:90
actionwpo_wcpdf_new_github_prerelease_availablewoocommerce-pdf-invoices-packingslips.php:91
actioninitwoocommerce-pdf-invoices-packingslips.php:92
actionadmin_initwoocommerce-pdf-invoices-packingslips.php:194
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:209
filterwpo_wcpdf_document_is_allowedwoocommerce-pdf-invoices-packingslips.php:215
actionadmin_noticeswoocommerce-pdf-invoices-packingslips.php:216
Maintenance & Trust

PDF Invoices & Packing Slips for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version7.4
Downloads21.5M

Community Trust

Rating100/100
Number of ratings1,842
Active installs300K
Alternatives

PDF Invoices & Packing Slips for WooCommerce Alternatives

WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels

WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels

print-invoices-packing-slip-labels-for-woocommerce

A
96

Auto-generate and attach WooCommerce PDF invoices and packing slips to order emails with customizable templates & bulk print options.

60K 6 CVEs
Invoices for WooCommerce

Invoices for WooCommerce

woocommerce-pdf-invoices

A
92

Automatically generate and attach customizable PDF Invoices and PDF Packing Slips for WooCommerce to emails.

10K No CVEs
WCPDF User Template

WCPDF User Template

bvd-wcpdf-user-template

A
100

With this plugin you can change what PDF template will be used for a certain user. "WooCommerce PDF Invoices & Packing Slips" is the plu &hellip;

0 No CVEs
Eledo PDF Attachments for WooCommerce

Eledo PDF Attachments for WooCommerce

eledo-pdf-attachments-for-woocommerce

A
100

Automatically generate and attach customizable PDF documents to WooCommerce emails by Payment method.

0 No CVEs
Kitgenix PDF Invoicing for WooCommerce

Kitgenix PDF Invoicing for WooCommerce

kitgenix-pdf-invoicing-for-woocommerce

A
100

Generate PDF invoices, receipts, packing slips and credit notes for WooCommerce. Overrides, customer downloads, and configurable email attachments.

0 No CVEs
Developer Profile

PDF Invoices & Packing Slips for WooCommerce Developer Profile

WP Overnight

7 plugins · 390K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
430 days
View full developer profile
Detection Fingerprints

How We Detect PDF Invoices & Packing Slips for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about PDF Invoices & Packing Slips for WooCommerce