WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.7.2 – Authenticated (Shop Manager+) Stored Cross-Site Scripting | CVE 2025-24644 | Plugin Vulnerabilities

Description

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

print-invoices-packing-slip-labels-for-woocommerce

Fixed in 4.7.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c29b9cb5-fd47-47d6-a341-a4b5ca0683f1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

SavPhill (Savphill)

Verified

No

WPVDB ID

e3a83b8c-45bc-4b4b-8442-e540d2ac6516

Timeline

Publicly Published

2025-01-24 (about 1 year ago)

Added

2025-01-28 (about 1 year ago)

Last Updated

2025-01-28 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

GroupDocs Viewer 1.4.1 - grpdocs-dialog.php Multiple Parameter XSS

Published

2025-03-13

Title

DethemeKit for Elementor < 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-26

Title

Elementor Website Builder Pro < 3.20.2 - Authententicated (Contributor+) Stored Cross-Site Scripting

Published

2023-02-15

Title

Download Info Page <= 1.3.9 - Admin+ Stored XSS

Published

2025-03-27

Title

Ultimate Dashboard < 3.8.6 - Admin+ Stored XSS