Print Invoice & Delivery Notes for WooCommerce < 5.5.0 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory | CVE 2024-13640 | Plugin Vulnerabilities

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.4.1 via the 'wcdn/invoice' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/wcdn/invoice directory which can contain invoice files if an email attachment setting is enabled.

Affects Plugins

woocommerce-delivery-notes

Fixed in 5.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/12ab3e54-a0b9-4420-ac90-f16e23688cca

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

c56b69c7-feea-4ea0-b750-acbb880dd412

Timeline

Publicly Published

2025-03-07 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-11 (about 1 year ago)

Other

Published

Title

Published

2026-01-08

Title

BetterDocs < 4.3.4 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2026-05-11

Title

Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields

Published

2023-12-05

Title

Ultimate Dashboard < 3.7.11 - Login Page Disclosure on Multi-site

Published

2026-02-02

Title

Run Contests, Raffles, and Giveaways with ContestsWP < 2.1.1 - Unauthenticated Information Exposure