WordPress Plugin Vulnerabilities

WooCommerce PDF Invoice Builder < 1.2.149 - Cross-Site Request Forgery

Description

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.148. This is due to missing or incorrect nonce validation on the 'clone' case. This makes it possible for unauthenticated attackers to clone invoices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woo-pdf-invoice-builder
Fixed in 1.2.149

References

CVE
CVE-2025-53203
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/300da4da-a3d4-4a64-80c2-4bb37ea64f5e

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
0b2ca87b-470e-485e-9dc5-9568d436d76e

Timeline

Publicly Published
2025-06-27 (about 11 months ago)
Added
2025-07-02 (about 10 months ago)
Last Updated
2025-07-02 (about 10 months ago)

Other

Published
Title
Published
2025-02-11
Title
WP Abstracts < 2.7.4 - Cross-Site Request Forgery to Arbitrary Account Deletion
Published
2023-10-18
Title
Appointment Calendar <= 2.9.6 - CSRF
Published
2023-11-07
Title
Plugin Name: Device Theme Switcher <= 3.0.2 - Cross-Site Request Forgery
Published
2023-11-06
Title
Code Snippets < 3.6.0 - Arbitrary settings change via CSRF
Published
2025-03-21
Title
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Font Assignment Deletion