[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDHq5ZabozrwTS57aBQ5rOJU37tYH7L6hCq34-N9Q1po":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25317","print-invoice-delivery-notes-for-woocommerce-missing-authorization-2","Print Invoice & Delivery Notes for WooCommerce \u003C= 5.9.0 - Missing Authorization","The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.9.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woocommerce-delivery-notes",null,"\u003C=5.9.0","6.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-03-27 19:33:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc2397cdc-48ae-468c-b3e5-6229454004cb?source=api-prod",10,[22,23,24,25,26,27,28,29],"includes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php","includes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdeliverynote-preview-template.php","includes\u002Fadmin\u002Fviews\u002FPreview_template\u002Finvoice-preview-template.php","includes\u002Fadmin\u002Fviews\u002FPreview_template\u002Freceipt-preview-template.php","includes\u002Fadmin\u002Fviews\u002Fwcdn-document.php","includes\u002Fadmin\u002Fviews\u002Fwcdn-faq.php","includes\u002Fadmin\u002Fviews\u002Fwcdn-filters.php","includes\u002Fadmin\u002Fviews\u002Fwcdn-general.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25317 (WooCommerce Delivery Notes)\n\n## 1. Vulnerability Summary\nThe **Print Invoice & Delivery Notes for WooCommerce** plugin (versions \u003C= 5.9.0) contains a missing authorization vulnerability. Specifically, the plugin's administrative settings and template customization handlers (intended for shop managers) are accessible via unauthenticated AJAX or `admin_init` hooks without sufficient capability checks (`current_user_can`). This allows unauthenticated attackers to modify critical plugin options, such as the shop name, address, policies, and document template configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wcdn_save_settings` (General Settings) and `wcdn_save_customization` (Template Settings).\n- **Vulnerable Parameters**: \n    - `wcdn_general[shop_name]` (Updates `wcdn_custom_company_name`)\n    - `wcdn_general[shop_address]` (Updates `wcdn_company_address`)\n    - `wcdn_general[shop_complimentry_close]` (Updates `wcdn_personal_notes`)\n    - `invoice`, `receipt`, or `deliverynote` (Arrays containing template layout settings)\n- **Authentication**: None Required (`PR:N`).\n- **Preconditions**: The plugin must be active. WooCommerce orders should exist if the attacker intends to verify changes via the \"Live Preview","The Print Invoice & Delivery Notes for WooCommerce plugin is vulnerable to unauthorized access and data modification because it lacks capability checks on administrative AJAX handlers and order document rendering. This allows unauthenticated attackers to modify shop settings, such as the company name and address, or view sensitive order information without proper authorization.","\u002F\u002F includes\u002Fclass-wcdn-print.php @ 5.9.0\n\n\t\tpublic function template_redirect_admin() {\n\t\t\t\u002F\u002F Let the backend only access the page.\n\t\t\t\u002F\u002F changed.\n\t\t\tif ( is_admin() && current_user_can( 'edit_shop_orders' ) && ! empty( $_REQUEST['print-order'] ) && ! empty( $_REQUEST['action'] ) ) {\n\t\t\t\t$type  = ! empty( $_REQUEST['print-order-type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['print-order-type'] ) ) : null;\n\t\t\t\t$email = ! empty( $_REQUEST['print-order-email'] ) ? sanitize_email( wp_unslash( $_REQUEST['print-order-email'] ) ) : null;\n\n---\n\n\u002F\u002F includes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php @ 5.9.0\n\nwhile ( $orders_checked \u003C $orders_to_check && is_null( $parent_order ) ) {\n\t\t$orders = wc_get_orders(\n\t\t\tarray(\n\t\t\t\t'limit'   => 1,\n\t\t\t\t'orderby' => 'date',\n\t\t\t\t'order'   => 'DESC',\n\t\t\t\t'offset'  => $orders_checked,\n\t\t\t)\n\t\t);\n\tif ( ! empty( $orders ) ) {\n\t\t$order = reset($orders); \u002F\u002F phpcs:ignore\n\t\tif ( $order->get_parent_id() === 0 ) {\n\t\t\t$parent_order = $order;\n\t\t}\n\t}\n\t\t$orders_checked++;\n}","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F6.0.0: changelog.txt\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F5.9.0\u002Fincludes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F6.0.0\u002Fincludes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F5.9.0\u002Fincludes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php\t2025-09-23 10:16:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F6.0.0\u002Fincludes\u002Fadmin\u002Fviews\u002FPreview_template\u002Fdefault-preview-template.php\t2026-01-27 07:33:04.000000000 +0000\n@@ -29,12 +29,23 @@\n \t\t\t$parent_order = $order;\n \t\t}\n \t}\n-\t\t$orders_checked++;\n+\t\t++$orders_checked;\n }\n if ( is_null( $parent_order ) ) {\n \techo '\u003Cdiv class=\"notices\">No WooCommerce orders found! Please consider adding your first order to see this preview.\u003C\u002Fdiv>';\n \treturn;\n }\n+\u002F\u002F Ensure we always have a valid WC_Order object.\n+if ( ! ( $parent_order instanceof WC_Order ) ) {\n+\techo '\u003Cdiv class=\"notices\">';\n+\tesc_html_e(\n+\t\t'No valid WooCommerce order found! Please create an order to preview this template.',\n+\t\t'woocommerce-delivery-notes'\n+\t);\n+\techo '\u003C\u002Fdiv>';\n+\treturn;\n+}\n+$order = $parent_order; \u002F\u002Fphpcs:ignore\n ?>\n \n \t\u003Cdiv class=\"order-brandings\">\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F5.9.0\u002Fincludes\u002Fclass-wcdn-print.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F6.0.0\u002Fincludes\u002Fclass-wcdn-print.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F5.9.0\u002Fincludes\u002Fclass-wcdn-print.php\t2025-05-27 08:36:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-delivery-notes\u002F6.0.0\u002Fincludes\u002Fclass-wcdn-print.php\t2026-01-27 07:33:04.000000000 +0000\n@@ -376,7 +376,7 @@\n \t\t *\u002F\n \t\tpublic function template_redirect_admin() {\n \t\t\t\u002F\u002F Let the backend only access the page.\n-\t\t\t\u002F\u002F changed.\n+\t\t\t\u002F\u002F phpcs:disable\n \t\t\tif ( is_admin() && current_user_can( 'edit_shop_orders' ) && ! empty( $_REQUEST['print-order'] ) && ! empty( $_REQUEST['action'] ) ) {\n \t\t\t\t$type  = ! empty( $_REQUEST['print-order-type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['print-order-type'] ) ) : null;\n \t\t\t\t$email = ! empty( $_REQUEST['print-order-email'] ) ? sanitize_email( wp_unslash( $_REQUEST['print-order-email'] ) ) : null;\n@@ -426,6 +426,26 @@\n \t\t\t\tdie();\n \t\t\t}\n \n+\t\t\t\u002F**\n+\t\t\t * 🔐 ACCESS VERIFICATION\n+\t\t\t *\u002F\n+\t\t\tforeach ( $this->order_ids as $order_id ) {\n+\t\t\t\t$order = wc_get_order( $order_id );\n+\t\t\t\tif ( ! $order ) {\n+\t\t\t\t\twp_die( 'Invalid order.' );\n+\t\t\t\t}\n+\t\t\t\tif ( ! is_user_logged_in() ) {\n+\t\t\t\t\t$provided_token = sanitize_text_field( $_GET['guest_token'] ?? '' );\n+\t\t\t\t\t$saved_token    = $order->get_meta( '_guest_access_token' );\n+\t\t\t\t\tif ( empty( $provided_token ) || empty( $saved_token ) ) {\n+\t\t\t\t\t\twp_die( 'Invalid or expired order link.' );\n+\t\t\t\t\t}\n+\t\t\t\t\tif ( ! hash_equals( $saved_token, $provided_token ) ) {\n+\t\t\t\t\t\twp_die( 'Invalid or expired order link.' );\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\n \t\t\t\u002F\u002F Load the print template html.\n \t\t\t$location = $this->get_template_file_location( 'print-order.php' );\n \t\t\t$args     = array();","The exploit targets missing capability checks in the plugin's administrative and document-rendering functions. \n\n1. Modification of Settings: An unauthenticated attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using actions like `wcdn_save_settings` or `wcdn_save_customization`. By providing parameters such as `wcdn_general[shop_name]` or document layout arrays, they can overwrite the plugin's configuration, potentially injecting malicious text or redirecting customers to false contact information.\n\n2. Unauthorized Order Access: An attacker can access sensitive customer order documents by navigating to the print endpoint (e.g., `\u002F?print-order=ID1,ID2...`) or triggering preview templates. In vulnerable versions, the plugin fails to verify if the requester is an authorized administrator or the owner of the order (via guest tokens), allowing mass extraction of customer data and order details.","gemini-3-flash-preview","2026-04-18 02:38:45","2026-04-18 02:39:38",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.9.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-delivery-notes\u002Ftags\u002F5.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-delivery-notes.5.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-delivery-notes\u002Ftags\u002F6.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-delivery-notes.6.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-delivery-notes\u002Ftags"]