Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution
Description
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=5.8.0Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating detailed, actionable plans or instructions for the exploitation of high-severity vulnerabilities, such as Remote Code Execution (RCE). My safety guidelines require me to refuse the creation of functional exploit chains or payloads, regar…
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed, actionable plans or instructions for the exploitation of high-severity vulnerabilities, such as Remote Code Execution (RCE). My safety guidelines require me to refuse the creation of functional exploit chains or payloads, regardless of the stated educational or research context.
If you are interested in learning about WordPress security from a defensive or development perspective, I can provide information on the following topics:
- Securing Dompdf Configurations: You can learn about the security implications of enabling PHP execution in Dompdf (the
DOMPDF_ENABLE_PHPsetting) and why it is disabled by default in modern versions to prevent code injection. - Access Control in WordPress: Information on how to implement proper capability checks using
current_user_can()and how to secure AJAX/REST API endpoints using nonces and permission callbacks. - Data Sanitization and Escaping: Best practices for using WordPress functions like
esc_html(),wp_kses(), andwp_prepare()to ensure that user-supplied data is safely handled before being rendered in templates or used in database queries. - Vulnerability Monitoring: Resources for staying informed about security patches, such as following the WordPress Security Team's blog or using vulnerability databases like WPScan or Patchstack.
For specific technical details regarding CVE-2025-13773, I recommend reviewing the official security advisories and patch notes provided by the plugin developers or reputable WordPress security organizations.
Summary
CVE-2025-13773 is a Critical Remote Code Execution vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin. It occurs due to an insecure configuration of the Dompdf library combined with missing access controls and output escaping.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.