CVE-2024-3045 in PDF Invoices & Packing Slips for WooCommerce Plugininfo

Summary

by MITRE • 05/02/2024

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/03/2025

The vulnerability identified as CVE-2024-3045 affects the PDF Invoices & Packing Slips for WooCommerce plugin, a widely used WordPress extension that generates and manages PDF documents for e-commerce transactions. This plugin integrates with WooCommerce to create professional invoices and packing slips for orders, making it a critical component in many online retail operations. The flaw exists in versions up to and including 3.8.0, representing a significant security risk for WordPress sites that rely on this functionality for their business operations. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase, creating a pathway for malicious actors to exploit the system through stored cross-site scripting attacks.

The technical implementation of this vulnerability involves several parameters within the plugin that fail to properly sanitize user input before processing or storing data. When attackers submit malicious payloads through these vulnerable parameters, the data gets stored in the WordPress database and subsequently executed whenever legitimate users access the affected pages. This stored XSS vulnerability operates without requiring authentication, meaning that any visitor to the website could potentially be affected simply by accessing pages containing the injected scripts. The flaw allows attackers to execute arbitrary web scripts in the context of the victim's browser, potentially enabling session hijacking, credential theft, or redirection to malicious websites. The vulnerability affects the plugin's invoice and packing slip generation functionality, where user-supplied data is processed without adequate sanitization measures.

The operational impact of this vulnerability extends beyond simple script execution, as it can compromise the entire WordPress installation and potentially the underlying e-commerce infrastructure. Attackers could exploit this vulnerability to steal administrator credentials, modify order information, or inject malicious content that affects customer data processing. The stored nature of the vulnerability means that the malicious scripts persist in the system until manually removed, providing attackers with long-term access to compromised sites. This risk is particularly severe for WooCommerce stores that handle sensitive customer information, payment data, and business-critical order processing. The vulnerability affects not only the immediate functionality of the plugin but also the overall security posture of WordPress sites, as it provides a foothold for more sophisticated attacks that could lead to complete system compromise.

Mitigation strategies for CVE-2024-3045 should prioritize immediate plugin updates to versions that address the stored XSS vulnerability, as this represents the most effective remediation approach. System administrators should implement comprehensive input validation and output escaping mechanisms throughout the WordPress environment, particularly for user-generated content processing. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and it maps to ATT&CK technique T1566 for social engineering via malicious content injection. Organizations should conduct thorough security audits of their WordPress installations, review plugin permissions and capabilities, and implement web application firewalls to detect and prevent exploitation attempts. Regular security monitoring and automated vulnerability scanning should be deployed to identify similar issues in other plugins or themes that may present similar security risks. Additionally, implementing proper access controls and regular security updates for all WordPress components remains essential for maintaining overall system integrity and preventing exploitation of similar vulnerabilities in the future.

Responsible

Wordfence

Reservation

03/28/2024

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00570

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!