WordPress Plugin Vulnerabilities

Print Invoice & Delivery Notes for WooCommerce < 5.9.0 - Unauthenticated Remote Code Execution

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

Affects Plugins

Plugin icon
woocommerce-delivery-notes
Fixed in 5.9.0

References

CVE
CVE-2025-13773
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
shark3y, Marcin Dudek (dudekmar)
Verified
No
WPVDB ID
83b1348e-a027-4298-9303-8369be6bfe39

Timeline

Publicly Published
2025-12-23 (about 4 months ago)
Added
2025-12-23 (about 4 months ago)
Last Updated
2025-12-24 (about 4 months ago)

Other

Published
Title
Published
2025-08-03
Title
Javo Core <= 3.0.0.266 - Unauthenticated Remote Code Execution
Published
2018-11-11
Title
Simple Link Directory < 5.6.0 - Authenticated PHP Object Injection
Published
2014-08-01
Title
Hungred Post Thumbnail - hpt_file_upload.php File Upload PHP Code Execution
Published
2022-05-18
Title
The School Management < 9.9.7 - Unauthenticated RCE via REST api
Published
2025-09-03
Title
Easy Timer < 4.2.2 - Authenticated (Editor+) Remote Code Execution via Shortcode