CVE-2025-13773
published 2025-12-24CVE-2025-13773: The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.20%
86.5th percentile
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tychesoftwares | print_invoice_delivery_notes_for_woocommerce | <= 5.8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit entry point is the unauthenticated 'WooCommerce_Delivery_Notes::update' function — monitor for unauthenticated POST/AJAX requests targeting this WordPress action with no capability check ↗
- →RCE is achieved via PHP execution enabled in Dompdf combined with unsanitised input in template.php — alert on Dompdf PHP execution or unexpected PHP evaluation triggered from the woocommerce-delivery-notes plugin context ↗
- →Use FOFA/Shodan fingerprint query to identify exposed instances: search for body containing the plugin path string ↗
- ·The vulnerability requires Dompdf to have PHP execution enabled (non-default in hardened deployments); sites where Dompdf PHP is disabled are not exploitable via this vector ↗
- ·The Nuclei template is passive/version-check only (max-request: 2) and does not confirm active exploitation — a version match alone indicates exposure, not confirmed compromise ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9956-2fv5-m3gf: The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5
ghsa_unreviewed·2025-12-24
CVE-2025-13773 [CRITICAL] CWE-94 GHSA-9956-2fv5-m3gf: The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
VulnCheck
tychesoftwares print_invoice_\&_delivery_notes_for_woocommerce Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-13773 [CRITICAL] tychesoftwares print_invoice_\&_delivery_notes_for_woocommerce Improper Control of Generation of Code ('Code Injection')
tychesoftwares print_invoice_\&_delivery_notes_for_woocommerce Improper Control of Generation of Code ('Code Injection')
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
Affected: tychesoftwares Print Invoice & Delivery Notes for WooCommerce
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are una
No detection rules found.
Nuclei
WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-13773 [CRITICAL] WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
Template:
id: CVE-2025-13773
info:
name: WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
author: PikaJuna-ops
severity: critical
description: |
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code o
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-noteshttps://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve
2025-12-24
Published
Exploited in the wild