CVE-2023-3764 in WooCommerce PDF Invoice Builder Plugin
Summary
by MITRE • 08/31/2023
The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.90. This is due to missing or incorrect nonce validation on the Save function. This makes it possible for unauthenticated attackers to make changes to invoices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The WooCommerce PDF Invoice Builder plugin presents a critical cross-site request forgery vulnerability that affects versions up to and including 1.2.90. This vulnerability stems from inadequate nonce validation within the plugin's save functionality, creating a significant security gap that undermines the integrity of the WordPress e-commerce ecosystem. The flaw allows unauthenticated attackers to manipulate invoice data through carefully crafted forged requests, exploiting the trust relationship between administrators and the vulnerable plugin.
This vulnerability operates at the application layer and specifically targets the plugin's administrative functions that handle invoice modifications. The missing or incorrect nonce validation means that any malicious actor who can convince a site administrator to perform a specific action can execute unauthorized modifications to invoice data. The attack vector relies on social engineering techniques where administrators might be tricked into clicking malicious links or visiting compromised websites that trigger the forged requests. This type of vulnerability falls under CWE-352, which specifically addresses cross-site request forgery conditions in web applications.
The operational impact of this vulnerability extends beyond simple data manipulation, potentially allowing attackers to alter invoice amounts, customer details, or other critical billing information. Such modifications could lead to financial discrepancies, fraudulent transactions, or disruption of legitimate business operations. The vulnerability is particularly dangerous because it requires minimal privileges from the attacker's perspective, as they only need to trick an authenticated administrator rather than gaining direct access to the system. This aligns with ATT&CK technique T1566 which describes social engineering methods used to gain initial access to systems.
Administrators face significant risk when this vulnerability exists in their WordPress installations, as it could enable attackers to modify billing records, potentially leading to revenue loss or compliance violations. The attack requires no authentication from the malicious party, making it particularly insidious since it exploits the administrator's trust in legitimate website interactions. Organizations using this plugin should immediately implement mitigation strategies including plugin updates, network monitoring, and administrator education about phishing attempts. The vulnerability demonstrates the critical importance of proper input validation and nonce implementation in web applications, particularly those handling financial data.
The security implications of this vulnerability extend to the broader WordPress ecosystem, as compromised plugins can serve as entry points for more extensive attacks. Attackers could potentially use this vulnerability as a stepping stone to gain further access to the WordPress installation or to escalate privileges within the system. Organizations should conduct immediate vulnerability assessments to identify all instances of this plugin and ensure proper patching procedures are followed. The incident highlights the necessity of maintaining up-to-date security practices and the importance of implementing proper security controls to prevent unauthorized modifications to critical business data through web application vulnerabilities.