[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpf2R8lFAeozHFUFod9QO8dX99i5c8KqcZqb7ppxXzB8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39472","pdf-invoices-packing-slips-for-woocommerce-authenticated-shop-manager-php-object-injection","PDF Invoices & Packing Slips for WooCommerce \u003C 5.9.0 - Authenticated (Shop manager+) PHP Object Injection","The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to 5.9.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","woocommerce-pdf-invoices-packing-slips",null,"\u003C5.9.0","5.9.0","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:44:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F75f5f59e-b071-43aa-87a5-d7c31fb35dae?source=api-prod",11,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fsettings-styles.css","assets\u002Fcss\u002Fsettings-styles.min.css","edi\u002FAbstracts\u002FAbstractHandler.php","edi\u002FPeppol.php","edi\u002FSyntaxes\u002FUbl\u002FFormats\u002FPeppolBis3p0\u002FHandlers\u002FAccountingSupplierPartyHandler.php","includes\u002FAdmin.php","includes\u002FCompatibility\u002FFileSystem.php","includes\u002FDocuments\u002FOrderDocument.php","researched",false,3,"## Vulnerability Summary\nThe **PDF Invoices & Packing Slips for WooCommerce** plugin is vulnerable to **PHP Object Injection** in versions prior to **5.9.0**. The vulnerability exists because the plugin uses the `maybe_unserialize()` function on metadata retrieved from WooCommerce orders without sufficient validation. Specifically, the `get_order_settings()` method in the `WPO\\IPS\\Documents\\OrderDocument` class retrieves the `_wcpdf_{$type}_settings` meta-key and, if the result is a string (and not an array), it passes it to `maybe_unserialize()`.\n\nAn authenticated attacker with **Shop Manager** or **Administrator** privileges can exploit this by injecting a malicious serialized PHP string into the order's metadata via the `wpo_wcpdf_save_document` AJAX action. When a PDF is subsequently generated or previewed for that order, the malicious object is instantiated, potentially leading to remote code execution (RCE) if a suitable POP chain is present in other installed plugins or themes.\n\n## Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action**: `wpo_wcpdf_save_document` (for injection) and `wpo_wcpdf_preview` (for triggering).\n- **Parameters**: \n    - Injection: `action`, `security` (nonce), `order_id`, `document_type`, `form_data`.\n    - Trigger: `action`, `security` (nonce), `order_ids","The PDF Invoices & Packing Slips for WooCommerce plugin is vulnerable to PHP Object Injection due to the unsafe use of `maybe_unserialize()` on order metadata. Authenticated attackers with Shop Manager or Administrator privileges can inject malicious serialized PHP strings into order settings, which are then instantiated when a PDF document is generated or previewed.","\u002F\u002F includes\u002FDocuments\u002FOrderDocument.php line 182\n\tpublic function get_order_settings() {\n\t\t$order_settings = array();\n\n\t\tif ( ! empty( $this->order ) ) {\n\t\t\t$order_settings = $this->order->get_meta( \"_wcpdf_{$this->slug}_settings\" );\n\t\t\tif ( ! empty( $order_settings ) && ! is_array( $order_settings ) ) {\n\t\t\t\t$order_settings = maybe_unserialize( $order_settings );\n\t\t\t}\n\t\t}\n\n\t\treturn $order_settings;\n\t}","--- a\u002Fincludes\u002FDocuments\u002FOrderDocument.php\n+++ b\u002Fincludes\u002FDocuments\u002FOrderDocument.php\n@@ -184,9 +184,6 @@\n \n \t\tif ( ! empty( $this->order ) ) {\n \t\t\t$order_settings = $this->order->get_meta( \"_wcpdf_{$this->slug}_settings\" );\n-\t\t\tif ( ! empty( $order_settings ) && ! is_array( $order_settings ) ) {\n-\t\t\t\t$order_settings = maybe_unserialize( $order_settings );\n-\t\t\t}\n \t\t}\n \n \t\treturn $order_settings;","1. Authenticate as a user with Shop Manager or Administrator privileges.\n2. Identify a valid WooCommerce Order ID.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `wpo_wcpdf_save_document`. \n4. The payload should include a malicious serialized PHP object string targeted at the `_wcpdf_{type}_settings` metadata field via the `form_data` parameter.\n5. To trigger the deserialization, invoke the `wpo_wcpdf_preview` AJAX action for the same Order ID.\n6. The plugin's `OrderDocument::get_order_settings` method will retrieve the malicious metadata and pass it to `maybe_unserialize()`, executing the object's magic methods if a suitable POP chain is available on the site.","gemini-3-flash-preview","2026-05-04 19:39:37","2026-05-04 19:40:29",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-pdf-invoices-packing-slips\u002Ftags\u002F5.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-pdf-invoices-packing-slips.5.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-pdf-invoices-packing-slips\u002Ftags\u002F5.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-pdf-invoices-packing-slips.5.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-pdf-invoices-packing-slips\u002Ftags"]