WordPress Plugin Vulnerabilities

WooCommerce PDF Invoice Builder < 1.2.92 - Subscriber+ Arbitrary Invoice Access

Description

The plugin does not have authorisation in the GetInvoiceDetail function, allowing any authenticated users, such as subscriber to access arbitrary invoice by knowing or guessing the order and invoice IDs

Affects Plugins

Plugin icon
woo-pdf-invoice-builder
Fixed in 1.2.92

References

CVE
CVE-2023-4245

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
01d16745-3ea3-4451-b257-2ea21b1a56f5

Timeline

Publicly Published
2023-08-18 (about 2 years ago)
Added
2023-09-07 (about 2 years ago)
Last Updated
2023-09-07 (about 2 years ago)

Other

Published
Title
Published
2026-03-23
Title
Salon Booking System Pro < 10.30.12 - Missing Authorization
Published
2025-09-06
Title
Travel Booking WordPress Theme < 3.2.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2024-10-21
Title
My Wp Brand – Hide menu & Hide Plugin < 1.1.3 - Missing Authorization
Published
2025-11-30
Title
Payment Gateway for PayPal on WooCommerce < 9.0.54 - Missing Authorization
Published
2024-03-28
Title
AI WP Writer < 3.6.5.6 - Missing Authorization