WordPress Plugin Vulnerabilities

WooCommerce PDF Invoices & Packing Slips < 5.0.0 - Missing Authorization

Description

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
woocommerce-pdf-invoices-packing-slips
Fixed in 5.0.0

References

CVE
CVE-2025-67589
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2053171-a213-43bf-bd15-2f42a178c3a8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phat RiO - BlueRock
Verified
No
WPVDB ID
1fb1ccfe-dc17-4577-bdb4-c3fe22964b39

Timeline

Publicly Published
2025-12-07 (about 5 months ago)
Added
2025-12-11 (about 5 months ago)
Last Updated
2025-12-11 (about 5 months ago)

Other

Published
Title
Published
2024-07-11
Title
Titan Anti-spam & Security < 7.3.8 - Missing Authorization
Published
2024-06-06
Title
WooCommerce Tools < 1.2.10 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation
Published
2026-01-30
Title
Fitness FSE <= 1.0.6 - Missing Authorization
Published
2026-01-14
Title
Alma < 5.16.2 - Missing Authorization
Published
2024-06-27
Title
Easy Image Collage < 1.13.6 - Missing Authorization to Authenticated (Contributor+) Data Clearance