{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1906", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T15:19:56.700Z", "datePublished": "2026-02-18T05:29:17.309Z", "dateUpdated": "2026-04-08T16:44:19.177Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:19.177Z"}, "affected": [{"vendor": "wpovernight", "product": "PDF Invoices & Packing Slips for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage."}], "title": "PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L895"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L72"}, {"url": "https://wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-02-17T17:18:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:17.700241Z", "id": "CVE-2026-1906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:53:09.667Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:17.700241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:18.983Z"}}], "cna": {"title": "PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpovernight", "product": "PDF Invoices & Packing Slips for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-17T17:18:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L895"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L72"}, {"url": "https://wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/#developers"}], "descriptions": [{"lang": "en", "value": "The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:19.177Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1906", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:19.177Z", "dateReserved": "2026-02-04T15:19:56.700Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:17.309Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage."}, {"lang": "es", "value": "El plugin PDF Invoices &amp; Packing Slips para WooCommerce para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 5.6.0, inclusive, a trav\u00e9s de la acci\u00f3n AJAX 'wpo_ips_edi_save_order_customer_peppol_identifiers' debido a la falta de comprobaciones de capacidad y validaci\u00f3n de la propiedad del pedido. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, modificar los identificadores de punto final Peppol/EDI ('peppol_endpoint_id', 'peppol_endpoint_eas') para cualquier cliente al especificar un par\u00e1metro 'order_id' arbitrario en sistemas que utilizan facturaci\u00f3n Peppol. Esto puede afectar el enrutamiento de pedidos en la red Peppol y puede resultar en interrupciones de pago y fuga de datos."}], "id": "CVE-2026-1906", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:34.913", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L72"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L895"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "pdf_invoices_&_packing_slips_for_woocommerce", "vendor": "wpovernight"}], "analysis": {"en": {"generated_at": "2026-04-16T00:41:24.149880+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of PDF Invoices & Packing Slips for WooCommerce (5.6.1 or newer) where proper authorization checks for the AJAX endpoint have been implemented.", "Restrict Peppol/EDI editing capabilities to Administrator (and necessary business roles) by removing the relevant capabilities from Subscriber and Contributor roles.\n", "Implement an additional ownership check in the wpo_ips_edi_save_order_customer_peppol_identifiers action so that a user can modify only orders that belong to them.\n", "Regularly audit the peppol_endpoint_id and peppol_endpoint_eas fields and monitor WordPress logs for suspicious calls to the wpo_ips_edi_save_order_customer_peppol_identifiers endpoint."], "summary": {"action": "Update Plugin", "impact": "Authenticated users with Subscriber or higher permissions can alter Peppol/EDI endpoint identifiers for any order, potentially redirecting invoices and disrupting payment flows"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed the PDF Invoices & Packing Slips for WooCommerce plugin version 5.6.0 or earlier are vulnerable. The vulnerability affects any running instance where the Peppol invoicing feature is enabled, regardless of other security configurations. Sites that have upgraded beyond 5.6.0 are not impacted by the known issue.", "description_and_impact": "The PDF Invoices & Packing Slips for WooCommerce plugin contains an insecure direct object reference in the AJAX action wpo_ips_edi_save_order_customer_peppol_identifiers. The code performs no capability checks or order ownership validation, allowing an authenticated user with relatively low privileges to supply any order identifier and modify the peppol_endpoint_id and peppol_endpoint_eas fields. This can reroute invoices to unintended parties, lead to payment delays or losses, and expose confidential customer data. The flaw aligns with the missing authorization weakness (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the immediate future. The flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires a legitimate user account with at least Subscriber permissions and the ability to call the affected AJAX endpoint with a crafted order ID. Successful manipulation could alter invoice routing on the Peppol network, compromising integrity and confidentiality of transaction data."}}}}, "created": "2026-02-18T10:32:47.316156+00:00", "updated": "2026-04-16T00:45:15.972683+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpovernight", "wpovernight$PRODUCT$pdf_invoices_&_packing_slips_for_woocommerce"]}