CVE-2026-39472

PDF Invoices & Packing Slips for WooCommerce < 5.9.0 - Authenticated (Shop manager+) PHP Object Injection

mediumDeserialization of Untrusted Data

6.6

CVSS Score

6.6

CVSS Score

medium

Severity

5.9.0

Patched in

11d

Time to patch

Description

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to 5.9.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<5.9.0

PublishedApril 20, 2026

Last updatedApril 30, 2026

Affected pluginwoocommerce-pdf-invoices-packing-slips

What Changed in the Fix

Changes introduced in v5.9.0

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v5.8.2

Browse source Download .zip

Patched v5.9.0

Browse source Download .zip

Research Plan

Unverified

## Vulnerability Summary The **PDF Invoices & Packing Slips for WooCommerce** plugin is vulnerable to **PHP Object Injection** in versions prior to **5.9.0**. The vulnerability exists because the plugin uses the `maybe_unserialize()` function on metadata retrieved from WooCommerce orders without suf…

Show full research plan

Vulnerability Summary

The PDF Invoices & Packing Slips for WooCommerce plugin is vulnerable to PHP Object Injection in versions prior to 5.9.0. The vulnerability exists because the plugin uses the maybe_unserialize() function on metadata retrieved from WooCommerce orders without sufficient validation. Specifically, the get_order_settings() method in the WPO\IPS\Documents\OrderDocument class retrieves the _wcpdf_{$type}_settings meta-key and, if the result is a string (and not an array), it passes it to maybe_unserialize().

An authenticated attacker with Shop Manager or Administrator privileges can exploit this by injecting a malicious serialized PHP string into the order's metadata via the wpo_wcpdf_save_document AJAX action. When a PDF is subsequently generated or previewed for that order, the malicious object is instantiated, potentially leading to remote code execution (RCE) if a suitable POP chain is present in other installed plugins or themes.

Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
Vulnerable Action: wpo_wcpdf_save_document (for injection) and wpo_wcpdf_preview (for triggering).
Parameters:
- Injection: action, security (nonce), order_id, document_type, form_data.
- Trigger: action, security (nonce), `order_ids

Research Findings

Static analysis — not yet PoC-verified

Summary

The PDF Invoices & Packing Slips for WooCommerce plugin is vulnerable to PHP Object Injection due to the unsafe use of `maybe_unserialize()` on order metadata. Authenticated attackers with Shop Manager or Administrator privileges can inject malicious serialized PHP strings into order settings, which are then instantiated when a PDF document is generated or previewed.

Vulnerable Code

// includes/Documents/OrderDocument.php line 182
	public function get_order_settings() {
		$order_settings = array();

		if ( ! empty( $this->order ) ) {
			$order_settings = $this->order->get_meta( "_wcpdf_{$this->slug}_settings" );
			if ( ! empty( $order_settings ) && ! is_array( $order_settings ) ) {
				$order_settings = maybe_unserialize( $order_settings );
			}
		}

		return $order_settings;
	}

Security Fix

--- a/includes/Documents/OrderDocument.php
+++ b/includes/Documents/OrderDocument.php
@@ -184,9 +184,6 @@
 
 		if ( ! empty( $this->order ) ) {
 			$order_settings = $this->order->get_meta( "_wcpdf_{$this->slug}_settings" );
-			if ( ! empty( $order_settings ) && ! is_array( $order_settings ) ) {
-				$order_settings = maybe_unserialize( $order_settings );
-			}
 		}
 
 		return $order_settings;

Exploit Outline

1. Authenticate as a user with Shop Manager or Administrator privileges. 2. Identify a valid WooCommerce Order ID. 3. Send a POST request to `/wp-admin/admin-ajax.php` with the action `wpo_wcpdf_save_document`. 4. The payload should include a malicious serialized PHP object string targeted at the `_wcpdf_{type}_settings` metadata field via the `form_data` parameter. 5. To trigger the deserialization, invoke the `wpo_wcpdf_preview` AJAX action for the same Order ID. 6. The plugin's `OrderDocument::get_order_settings` method will retrieve the malicious metadata and pass it to `maybe_unserialize()`, executing the object's magic methods if a suitable POP chain is available on the site.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/75f5f59e-b071-43aa-87a5-d7c31fb35dae?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database