PDF Invoices & Packing Slips for WooCommerce < 5.7.0 – Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification | CVE 2026-1906 | Plugin Vulnerabilities

Description

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.

Affects Plugins

woocommerce-pdf-invoices-packing-slips

Fixed in 5.7.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

f589766e-b6ae-438a-9cb2-416e26de3223

Timeline

Publicly Published

2026-02-17 (about 2 months ago)

Added

2026-02-17 (about 2 months ago)

Last Updated

2026-05-12 (about 1 day ago)

Other

Published

Title

Published

2025-03-06

Title

Golo - Directory & Listing, Travel WordPress Theme < 1.6.11 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change

Published

2024-09-27

Title

EU/UK VAT Manager for WooCommerce < 2.12.14 - Missing Authorization

Published

2025-01-25

Title

Quiz Maker Business, Developer, and Agency - Unauthenticated Arbitrary Shortcode Execution

Published

2023-03-28

Title

Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update

Published

2025-08-14

Title

WPGuppy < 1.1.5 - Missing Authorization