[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0K2KIbse0S-88mUGAeL8lq8TBFdFwxyDk65JxSWPzVk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":30},"CVE-2026-52704","pdf-builder-for-woocommerce-create-invoicespacking-slips-and-more-authenticated-subscriber-remote-code-execution","PDF Builder for WooCommerce. Create invoices,packing slips and more \u003C= 2.0.8 - Authenticated (Subscriber+) Remote Code Execution","The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.","woo-pdf-invoice-builder",null,"\u003C=2.0.8","2.0.9","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-06-15 00:00:00","2026-06-25 17:51:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F86ebb886-ad30-44e0-bed1-32d2ffefd50b?source=api-prod",11,[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional exploit payloads, or detailed research for the purpose of demonstrating or executing Remote Code Execution (RCE) against specific software or vulnerabilities.\n\nIf you are interested in WordPress security and defending against vulnerabilities like RCE, I can offer general information on defensive practices and mitigation strategies.\n\n### General WordPress Security Best Practices\n\n1.  **Keep Plugins and Themes Updated:** Vulnerabilities like CVE-2026-52704 are typically resolved in newer versions. Always update plugins to the latest patched version immediately (in this case, 2.0.9+).\n2.  **Principle of Least Privilege:** Ensure that users are only granted the minimum capabilities necessary for their roles. RCE vulnerabilities often leverage authenticated access (like Subscriber level) to perform unauthorized actions.\n3.  **Input Validation and Sanitization:** Secure development practices involve strictly validating and sanitizing all user-supplied data before it is used in sensitive functions, especially those that execute code or interact with the filesystem.\n4.  **Use of Nonces and Capability Checks:** WordPress provides built-in mechanisms like nonces (to prevent CSRF) and `current_user_can()` (to verify permissions). Developers must ensure these checks are correctly implemented and verified before processing sensitive requests.\n5.  **Disable File Editing:** You can disable the built-in WordPress file editor by adding `define( 'DISALLOW_FILE_EDIT', true );` to your `wp-config.php` file to reduce the impact of potential administrative account compromises.\n6.  **Web Application Firewall (WAF):** Implementing a WAF can help detect and block common attack patterns, including RCE attempts, by inspecting incoming HTTP traffic.\n\nFor more information on securing WordPress installations, you may find the following resources helpful:\n*   [The WordPress Security Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002F)\n*   [OWASP WordPress Security Implementation Guideline](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FWordpress_Security_Cheat_Sheet.html)\n*   [Common Vulnerabilities and Exposures (CVE) Database](https:\u002F\u002Fcve.mitre.org\u002F)","The 'PDF Builder for WooCommerce' plugin for WordPress is vulnerable to Remote Code Execution (RCE) in versions up to 2.0.8 via Code Injection. Authenticated attackers with Subscriber-level permissions or higher can exploit this vulnerability to execute arbitrary PHP code on the target server.","gemini-3-flash-preview","2026-06-25 23:59:41","2026-06-26 00:00:09",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-pdf-invoice-builder\u002Ftags"]