WordPress Plugin Vulnerabilities

Print Invoice & Delivery Notes for WooCommerce < 5.6.0 - Cross-Site Request Forgery

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-delivery-notes
Fixed in 5.6.0

References

CVE
CVE-2025-49239
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/272fc51d-aadd-4991-a308-3df8b62c35ac

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
domiee13
Verified
No
WPVDB ID
e92f51db-fb74-46e6-a4fe-c1bad7b404e3

Timeline

Publicly Published
2025-06-05 (about 11 months ago)
Added
2025-06-11 (about 11 months ago)
Last Updated
2025-06-11 (about 11 months ago)

Other

Published
Title
Published
2026-03-31
Title
Contact Form by WPForms < 1.10.0.3 - Cross-Site Request Forgery
Published
2025-04-01
Title
Ebook Downloader <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-05
Title
WP Table Builder < 2.0.7 - Cross-Site Request Forgery
Published
2026-04-21
Title
Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Published
2024-01-09
Title
Auto Affiliate Links < 6.4.2.8 - Cross-Site Request Forgery