WooCommerce PDF Invoice Builder < 1.2.102 – Cross-Site Request Forgery | CVE 2023-51486 | Plugin Vulnerabilities

Description

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.101. This is due to missing or incorrect nonce validation in the /pages/invoice_list.php file. This makes it possible for unauthenticated attackers to delete invoices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

woo-pdf-invoice-builder

Fixed in 1.2.102

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/652367a0-fca2-4313-8217-d8811ada0ab5

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

cbc52fe8-4bfb-4aba-a416-0050ead1f763

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-12-06

Title

PDF Thumbnail Generator < 1.5 - Cross-Site Request Forgery

Published

2019-06-12

Title

Contest Gallery <= 10.4.4 - Cross-Site Request Forgery (CSRF)

Published

2025-08-14

Title

Primer MyData for Woocommerce < 4.2.6 - Cross-Site Request Forgery

Published

2026-02-11

Title

Easy Table of Contents < 2.0.81 - Cross-Site Request Forgery

Published

2025-07-16

Title

FluentSnippets < 10.51 - Cross-Site Request Forgery