CVE-2026-1906
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the wpo_ips_edi_save_order_customer_peppol_identifiers AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (peppol_endpoint_id, peppol_endpoint_eas) for any customer by specifying an arbitrary order_id parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| wpovernight | PDF Invoices & Packing Slips for WooCommerce | 0 <= 5.6.0 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3?source=cve
- https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L895
- https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.php#L72
- https://wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/#developers
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.