WordPress Plugin Vulnerabilities

Print Invoice & Delivery Notes for WooCommerce < 5.4.1 - Missing Authorization to Authenticated (Subscriber+) Logo Deletion

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcdn_remove_shoplogo' AJAX action in all versions up to, and including, 5.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the shop's logo.

Affects Plugins

Plugin icon
woocommerce-delivery-notes
Fixed in 5.4.1

References

CVE
CVE-2024-12210
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8883d4fe-3ca6-4591-9972-219b114126d3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tieu Pham Trong Nhan
Verified
No
WPVDB ID
8792d940-e143-4e77-b3db-79161a03d1fd

Timeline

Publicly Published
2024-12-23 (about 1 year ago)
Added
2024-12-23 (about 1 year ago)
Last Updated
2024-12-24 (about 1 year ago)

Other

Published
Title
Published
2026-02-11
Title
FullCalendar <= 1.6 - Missing Authorization
Published
2024-02-02
Title
Quicksand Post Filter jQuery Plugin <= 3.1.1 - Missing Authorization via quicksand_admin_ajax
Published
2024-05-20
Title
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Missing Authorization to Unauthenticated Ad Status Update
Published
2025-10-16
Title
UiChemy < 4.0.1 - Missing Authorization
Published
2025-11-20
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.1 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion