WordPress Plugin Vulnerabilities

WooCommerce PDF Invoices < 4.3.0 - Shop Manager+ Arbitrary Options Update

Description

The plugin does not have proper authorisation in its JSON import feature, which could allow Shop Manager and above roles to update arbitrary blog options

Affects Plugins

Plugin icon
print-invoices-packing-slip-labels-for-woocommerce
Fixed in 4.3.0

References

CVE
CVE-2023-51546
URL
https://patchstack.com/database/vulnerability/print-invoices-packing-slip-labels-for-woocommerce/wordpress-woocommerce-pdf-invoices-packing-slips-delivery-notes-and-shipping-labels-plugin-4-2-1-privilege-escalation-vulnerability

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
86ba32bc-9ea3-4571-86e0-cbc7f0172302

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Published
2022-11-21
Title
Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation
Published
2025-10-31
Title
Folderly < 0.3.1 - Incorrect Authorization to Authenticated (Author+) Term Deletion
Published
2025-04-24
Title
Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions
Published
2026-01-08
Title
WP Table Builder < 2.0.20 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation