Platform
wordpress
Component
woocommerce-delivery-notes
Fixed in
5.8.1
CVE-2025-13773 is a critical Remote Code Execution (RCE) vulnerability discovered in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. It affects versions from 0.0.0 up to and including 5.8.0. A fix is available in version 5.9.0.
The vulnerability stems from a combination of factors: a missing capability check within the WooCommerceDeliveryNotes::update function, PHP being enabled in Dompdf, and a lack of proper escaping in the template.php file. This confluence of issues allows an attacker to bypass security controls and inject malicious code. Successful exploitation could lead to complete server compromise, including data exfiltration, malware installation, and denial of service. The unauthenticated nature of the exploit significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability has a high probability of exploitation (EPSS score likely to be high) due to its ease of exploitation and the widespread use of WordPress. Public proof-of-concept (PoC) code is likely to emerge quickly. The vulnerability was publicly disclosed on 2025-12-24. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.45% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) can be configured to block requests targeting the vulnerable WooCommerceDeliveryNotes::update function, though this is not a substitute for patching. Review server configurations to ensure PHP is not unnecessarily enabled in Dompdf and that all user-supplied input is properly sanitized and escaped.
Update to version 5.9.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13773 is a critical Remote Code Execution vulnerability affecting the Print Invoice & Delivery Notes for WooCommerce plugin, allowing attackers to execute code on the server.
You are affected if you are using Print Invoice & Delivery Notes for WooCommerce versions 0.0.0 through 5.8.0. Upgrade to 5.9.0 or later to resolve the issue.
Upgrade the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation. Monitor security advisories.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.