CVE-2023-7068 in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels Plugininfo

Summary

by MITRE • 01/03/2024

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-7068 affects the WooCommerce PDF Invoices plugin for WordPress, specifically impacting versions up to and including 4.3.0. This security flaw stems from a critical missing capability check within the plugin's codebase, particularly concerning the print_packinglist action. The vulnerability represents a significant authorization bypass issue that undermines the integrity of the plugin's access controls and exposes sensitive customer data to unauthorized individuals within the WordPress ecosystem.

The technical implementation of this vulnerability occurs through the absence of proper capability verification before executing the print_packinglist action. When authenticated users with subscriber-level permissions or higher attempt to access the packing list functionality, the plugin fails to validate whether these users possess the appropriate administrative privileges required to export order information. This missing validation creates a direct pathway for privilege escalation within the plugin's functionality, allowing users who should not have access to sensitive order data to retrieve comprehensive order details including customer information, product specifications, and transactional data.

The operational impact of this vulnerability extends beyond simple data exposure, as it fundamentally compromises the security model of the WooCommerce plugin ecosystem. Attackers with subscriber-level access can exploit this flaw to compile detailed reports of customer orders, potentially including personal identification information, shipping addresses, and purchase histories. This unauthorized access capability directly violates the principle of least privilege and creates opportunities for data breaches, identity theft, and other malicious activities that could affect both businesses and their customers. The vulnerability affects all users within the WordPress platform who have subscriber-level access or higher, making it particularly concerning for sites with multiple user roles and permissions.

Organizations affected by this vulnerability should immediately implement mitigations including updating to the patched version of the plugin, reviewing user permissions, and monitoring for unauthorized access attempts. The vulnerability aligns with CWE-284, which specifically addresses improper access control issues in software systems. From an attack perspective, this flaw could be categorized under ATT&CK technique T1078 which deals with valid accounts and privilege escalation. Additionally, this vulnerability demonstrates poor input validation and access control implementation that could potentially lead to further exploitation if combined with other vulnerabilities within the same system. The security implications extend to compliance requirements such as GDPR and PCI DSS, where unauthorized access to customer data could result in significant regulatory penalties and loss of customer trust.

Responsible

Wordfence

Reservation

12/21/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00387

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!