CVE-2023-4245 in WooCommerce PDF Invoice Builder Plugin
Summary
by MITRE • 08/31/2023
The WooCommerce PDF Invoice Builder for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the GetInvoiceDetail function in versions up to, and including, 1.2.89. This makes it possible for subscribers to view arbitrary invoices provided they can guess the order id and invoice id.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The vulnerability identified as CVE-2023-4245 affects the WooCommerce PDF Invoice Builder plugin for WordPress, specifically targeting versions up to and including 1.2.89. This represents a critical authorization flaw that undermines the security model of the e-commerce platform by allowing unauthorized users to access sensitive financial data. The issue stems from a missing capability check within the GetInvoiceDetail function, which should have enforced proper access controls to ensure that only authorized users could retrieve invoice information.
The technical flaw manifests as a lack of proper authentication verification within the plugin's core functionality. When the GetInvoiceDetail function processes requests, it fails to validate whether the requesting user possesses the necessary permissions to access the requested invoice data. This omission creates a direct pathway for privilege escalation where users with minimal access levels, such as subscribers, can exploit the vulnerability by simply guessing valid order and invoice identifiers. The vulnerability operates under CWE-284 which specifically addresses improper access control mechanisms, making it a clear example of insufficient authorization checks in web applications.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential financial fraud and privacy violations. Subscribers who gain access to arbitrary invoices can view detailed order information including product descriptions, pricing, quantities, customer details, and transaction histories. This information could be exploited for identity theft, competitive intelligence gathering, or targeted phishing attacks against customers. The vulnerability is particularly dangerous because it requires minimal technical knowledge to exploit, making it attractive to both casual attackers and more sophisticated threat actors who may use it as a foothold for further exploitation within the WordPress environment.
The security implications of this vulnerability align with ATT&CK technique T1213.002 which covers data from information repositories, specifically targeting the extraction of sensitive business data through unauthorized access to application functions. Attackers could potentially scale this vulnerability across multiple orders by automating the guessing process or by leveraging other information disclosure vulnerabilities within the same system. The missing capability check represents a fundamental flaw in the plugin's security architecture, where the principle of least privilege is violated, allowing users to access data beyond their intended authorization levels. Organizations using affected versions of the WooCommerce PDF Invoice Builder plugin face significant risk of data breaches and regulatory compliance violations, particularly in environments subject to data protection regulations such as gdpr or pci dss standards.
Mitigation strategies should include immediate updating of the plugin to a patched version that implements proper capability checks and access controls. Administrators should also review user roles and permissions to ensure that only authorized personnel have access to sensitive invoice data. Additional monitoring should be implemented to detect unusual access patterns or unauthorized data retrieval attempts. The vulnerability highlights the importance of regular security auditing and the necessity of implementing robust access control mechanisms in all web applications, particularly those handling sensitive financial information.