CVE-2025-24373 in woocommerce-pdf-invoices-packing-slipsinfo

Summary

by MITRE • 02/04/2025

woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store's document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/19/2025

This vulnerability exists within the woocommerce-pdf-invoices-packing-slips plugin, a widely used extension for WooCommerce e-commerce platforms that enables users to generate, print, and automatically email PDF invoices and packing slips for orders. The flaw represents a critical access control bypass that undermines the security model designed to protect sensitive financial and shipping documentation. The vulnerability stems from improper validation of URL parameters within the document access system, specifically when the plugin processes requests for guest-accessible documents. When a store administrator configures the plugin to allow guest access to documents, the system should maintain proper authorization boundaries between different user states and document access levels.

The technical implementation of this vulnerability exploits a parameter manipulation flaw in the plugin's URL routing mechanism. An unauthorized attacker who obtains a valid guest document link can exploit this weakness by simply replacing the URL parameter value from "my-account" to "bulk" in the request. This parameter substitution effectively bypasses the intended access controls that should differentiate between individual account-based document access and bulk document retrieval functionality. The vulnerability specifically manifests when users are logged out of the system and attempting to access documents through guest access settings. This flaw allows attackers to potentially access any PDF document within the store's inventory without proper authentication, creating a significant data exposure risk.

The operational impact of this vulnerability extends beyond simple unauthorized document access, as it compromises the confidentiality of sensitive business information including customer order details, shipping addresses, payment information, and product specifications. This represents a direct violation of data protection principles and could lead to identity theft, financial fraud, and competitive intelligence gathering. The vulnerability affects all WooCommerce stores utilizing the plugin with guest access enabled, creating a widespread risk across numerous e-commerce platforms. According to industry standards such as CWE-284, this vulnerability falls under improper access control, where the system fails to properly enforce authorization checks for resource access. The issue also aligns with ATT&CK technique T1071.004, which describes application layer protocol manipulation, as the attacker manipulates URL parameters to gain unauthorized access.

The fix for this vulnerability was implemented in version 4.0.0 of the plugin, which introduced proper parameter validation and access control enforcement. This update addresses the root cause by ensuring that URL parameter manipulation cannot bypass the intended authorization mechanisms. Organizations using this plugin should immediately upgrade to version 4.0.0 or later to remediate the vulnerability. The lack of known workarounds means that stores cannot implement temporary fixes while awaiting the official update, making the upgrade process critical for maintaining security. Security practitioners should monitor their WooCommerce installations for this vulnerability and ensure that all related plugins are kept current with the latest security patches. The vulnerability demonstrates the importance of proper input validation and authorization checking in web applications, particularly in e-commerce systems where sensitive customer data is routinely processed and stored.

Responsible

GitHub M

Reservation

01/20/2025

Disclosure

02/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00434

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!