{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13773", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-28T05:56:13.257Z", "datePublished": "2025-12-24T04:32:56.262Z", "dateUpdated": "2026-04-08T17:29:46.005Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:46.005Z"}, "affected": [{"vendor": "tychesoftwares", "product": "Print Invoice & Delivery Notes for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server."}], "title": "Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}, {"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "timeline": [{"time": "2025-12-23T16:17:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-24T14:16:53.058137Z", "id": "CVE-2025-13773", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T14:17:05.956Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13773", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-24T14:16:53.058137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T14:17:01.836Z"}}], "cna": {"title": "Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}, {"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tychesoftwares", "product": "Print Invoice & Delivery Notes for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.8.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-23T16:17:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52"}], "descriptions": [{"lang": "en", "value": "The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:46.005Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13773", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:46.005Z", "dateReserved": "2025-11-28T05:56:13.257Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-24T04:32:56.262Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server."}], "id": "CVE-2025-13773", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-24T05:16:05.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:54:33.281822+00:00", "value": {"mitigation_remediation": ["Update the Print Invoice & Delivery Notes for WooCommerce plugin to the latest version released by Tyche Softwares, which removes the capability check bug and disables PHP execution in the PDF generator.", "If an upgrade cannot be performed immediately, permanently deactivate or uninstall the plugin to eliminate the attack surface.", "As a temporary workaround, restrict the \u2018update\u2019 hook to users with the capability to edit plugin options or remove the hook altogether, ensuring that only authorized administrators can trigger PDF generation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Tyche Softwares publishes the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. All releases up to and including 5.8.0 are affected; the vulnerability is present in the \u2018update\u2019 function of the plugin. The vendor has released newer versions that address the issue, but the CVE entry does not list a specific patched version.", "description_and_impact": "The Print Invoice & Delivery Notes for WooCommerce plugin contains an unauthenticated code injection vulnerability due to a missing capability check in its update routine, PHP execution enabled inside the Dompdf library, and lack of escaping in its template. This flaw is a CWE-94 injection that allows an attacker to inject and execute arbitrary PHP code when a PDF is requested. Based on the description, the likely attack vector is an unauthenticated HTTP request to the update endpoint that triggers PDF generation.", "risk_and_exploitability": "The CVSS score of 9.8 marks this as a critical severity flaw, but the EPSS score of less than 1% indicates a very low probability of active exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, no special privileges are required; an attacker can trigger the code execution simply by sending the crafted request to the vulnerable endpoint. Thus, the risk is high if the plugin is present, but the practical exploit likelihood remains low without visible attacks."}}}}, "created": "2025-12-24T11:51:01.193164+00:00", "updated": "2026-04-21T17:00:12.323622+00:00", "vendors": ["tychesoftwares", "tychesoftwares$PRODUCT$print_invoice_&_delivery_notes_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}