CVE-2026-52704
published 2026-06-15CVE-2026-52704: Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue…
PriorityP265critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.31%
23.1th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.
This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edgar_rojas | woocommerce_pdf_invoice_builder | n/a – 2.0.8 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Edgar Rojas WooCommerce PDF Invoice Builder Plugin up to 2.0.8 on WordPress code injection
vuldb·2026-06-15·CVSS 10.0
CVE-2026-52704 [CRITICAL] Edgar Rojas WooCommerce PDF Invoice Builder Plugin up to 2.0.8 on WordPress code injection
A vulnerability described as critical has been identified in Edgar Rojas WooCommerce PDF Invoice Builder Plugin up to 2.0.8 on WordPress. Impacted is an unknown function. The manipulation results in code injection.
This vulnerability is cataloged as CVE-2026-52704. The attack may be launched remotely. There is no exploit available.
GHSA
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.
ghsa_unreviewed·2026-06-15
CVE-2026-52704 [CRITICAL] CWE-94 Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.
This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-15
Published