प्लेटफ़ॉर्म
wordpress
घटक
woocommerce-delivery-notes
में ठीक किया गया
5.8.1
CVE-2025-13773 is a critical Remote Code Execution (RCE) vulnerability discovered in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. It affects versions from 0.0.0 up to and including 5.8.0. A fix is available in version 5.9.0.
The vulnerability stems from a combination of factors: a missing capability check within the WooCommerceDeliveryNotes::update function, PHP being enabled in Dompdf, and a lack of proper escaping in the template.php file. This confluence of issues allows an attacker to bypass security controls and inject malicious code. Successful exploitation could lead to complete server compromise, including data exfiltration, malware installation, and denial of service. The unauthenticated nature of the exploit significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability has a high probability of exploitation (EPSS score likely to be high) due to its ease of exploitation and the widespread use of WordPress. Public proof-of-concept (PoC) code is likely to emerge quickly. The vulnerability was publicly disclosed on 2025-12-24. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites utilizing the Print Invoice & Delivery Notes for WooCommerce plugin, particularly those running older versions (0.0.0 – 5.8.0), are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular control over plugin updates and security configurations. Sites with legacy WordPress installations or those that haven't implemented robust security practices are also at increased risk.
• wordpress / plugin:
wp plugin list | grep 'Print Invoice & Delivery Notes'• wordpress / plugin: Check plugin version using wp plugin list and verify it's below 5.9.0.
• wordpress / plugin: Examine template.php for unescaped user input.
• wordpress / server: Monitor web server access logs for requests to WooCommerceDeliveryNotes::update from unusual IP addresses.
• wordpress / server: Check for suspicious files created in the plugin's directory.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.45% (63% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately upgrade the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) can be configured to block requests targeting the vulnerable WooCommerceDeliveryNotes::update function, though this is not a substitute for patching. Review server configurations to ensure PHP is not unnecessarily enabled in Dompdf and that all user-supplied input is properly sanitized and escaped.
Update to version 5.9.0, or a newer patched version
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-13773 is a critical Remote Code Execution vulnerability affecting the Print Invoice & Delivery Notes for WooCommerce plugin, allowing attackers to execute code on the server.
You are affected if you are using Print Invoice & Delivery Notes for WooCommerce versions 0.0.0 through 5.8.0. Upgrade to 5.9.0 or later to resolve the issue.
Upgrade the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation. Monitor security advisories.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।