Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Missing Authorization
Description
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.8.0What Changed in the Fix
Changes introduced in v5.9.0
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-24946 ## 1. Vulnerability Summary The **Print Invoice & Delivery Notes for WooCommerce** plugin (versions <= 5.8.0) is vulnerable to **Missing Authorization**. The vulnerability exists because certain functions hooked to `init` or `admin_init` (which also runs…
Show full research plan
Exploitation Research Plan: CVE-2026-24946
1. Vulnerability Summary
The Print Invoice & Delivery Notes for WooCommerce plugin (versions <= 5.8.0) is vulnerable to Missing Authorization. The vulnerability exists because certain functions hooked to init or admin_init (which also runs during AJAX requests) do not perform capability checks (e.g., current_user_can( 'manage_woocommerce' )). This allows unauthenticated attackers to perform unauthorized actions, such as dismissing tracking notices, triggering server-side PDF generation (modifying order metadata), or injecting CSS into the page.
Based on the source code, the most likely "unauthorized action" involves the dismissal of tracking notices or the triggering of PDF generation processes that modify order meta, as the integrity impact is rated as Low (I:L).
2. Attack Vector Analysis
- Endpoint:
admin-ajax.php(for notice dismissal) or any URL (for CSS injection/PDF trigger). - Vulnerable Action:
wcdn_ts_dismiss_notice(inferred fromwcdn_deactivation_enquaue_script) or thewcdn_remove_save_btnhook. - Payload Parameters:
- Action:
wcdn_ts_dismiss_notice - Nonce:
tracking_notice(leaked viawp_localize_script) - URL Params for CSS injection: `?tab=wcdn
- Action:
Summary
The Print Invoice & Delivery Notes for WooCommerce plugin is vulnerable to unauthorized access and potential remote code execution due to missing authorization and nonce checks in its settings update logic and insecure PDF engine configuration. Unauthenticated attackers can modify plugin settings or potentially execute arbitrary PHP code if they can influence the content of generated PDF documents while the Dompdf engine has PHP execution enabled.
Vulnerable Code
// includes/class-woocommerce-delivery-notes.php /** * Install or update the default settings. */ public function update() { // Set default template type for invoice, receipt, and delivery-note if not set. if ( false === get_option( 'wcdn_template_type_invoice', false ) ) { add_option( 'wcdn_template_type_invoice', 'yes' ); } // ... (logic follows without current_user_can() or nonce checks) } --- // includes/front/wcdn-front-function.php line 37 // Instantiate and use the dompdf class. $options = new \Dompdf\Options(); $options->set( 'isRemoteEnabled', true ); $options->set( 'isPhpEnabled', true ); $dompdf = new Dompdf( $options );
Security Fix
@@ -7,6 +7,7 @@ if ( isset( $_GET['wdcn_setting'] ) ) { $setting = htmlspecialchars( $_GET['wdcn_setting'] ); // phpcs:ignore + wp_nonce_field( 'wcdn_general_settings_action', 'wcdn_general_settings_nonce' ); ?> <select class="card-body" name="document_type" id="document_type" onchange="location = 'admin.php?page=wc-settings&tab=wcdn-settings&setting=wcdn_document&wdcn_setting=' + this.value;" > <option value="wcdn_invoice" >Invoice</option> @@ -363,6 +363,20 @@ * Install or update the default settings. */ public function update() { + // Admin Permission check. + if ( ! is_admin() ) { + return; + } + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + if ( ! isset( $_POST['wcdn_general_settings_nonce'] ) ) { + return; + } + $nonce = sanitize_text_field( wp_unslash( $_POST['wcdn_general_settings_nonce'] ) ); + if ( ! wp_verify_nonce( $nonce, 'wcdn_general_settings_action' ) ) { + return; + } // Set default template type for invoice, receipt, and delivery-note if not set. if ( false === get_option( 'wcdn_template_type_invoice', false ) ) { add_option( 'wcdn_template_type_invoice', 'yes' ); @@ -34,7 +34,7 @@ // Instantiate and use the dompdf class. $options = new \Dompdf\Options(); $options->set( 'isRemoteEnabled', true ); - $options->set( 'isPhpEnabled', true ); + $options->set( 'isPhpEnabled', false ); $dompdf = new Dompdf( $options );
Exploit Outline
The exploit targets the lack of authorization in the `update()` method of the `WooCommerce_Delivery_Notes` class. 1. Target Endpoint: Send a POST request to any administrative URL (like `wp-admin/admin-post.php` or `wp-admin/admin.php?page=wc-settings&tab=wcdn-settings`) that triggers the plugin's `update` logic. 2. Payload Shape: The attacker includes setting parameters (e.g., `wcdn_document[]`, `wcdn_template_type`) in the POST body. Because the `update()` function in versions <= 5.8.0 lacks both `current_user_can()` checks and `wp_verify_nonce()` validation, the plugin will process these settings changes even if the requester is unauthenticated or has low privileges. 3. Escalation: By modifying template settings or styles (which were also poorly escaped before the patch), an attacker can inject malicious content into the generated PDFs. Combined with the insecure `isPhpEnabled => true` configuration in Dompdf, this could lead to Remote Code Execution (RCE) if the attacker can inject `<script type="text/php">` tags into the document source.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.