CVE-2026-13116 in PDF Invoices & Packing Slips Plugininfo

Summary

by MITRE • 07/11/2026

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability in the PDF Invoices & Packing Slips for WooCommerce plugin represents a critical security flaw that undermines the integrity of customer data protection within e-commerce environments. This issue manifests as an insecure direct object reference vulnerability that affects all versions up to and including 5.14.0, creating a pathway for authenticated attackers to bypass normal access controls and obtain sensitive information from orders they should not have access to. The vulnerability specifically resides in the generate_document_shortcode functionality, where insufficient validation allows malicious users to manipulate parameters and gain unauthorized access to third-party order data. The flaw is particularly concerning because it requires only contributor-level privileges or higher to exploit, making it accessible to users who may have legitimate business purposes but could abuse their access for data harvesting.

The technical implementation of this vulnerability stems from the absence of proper input validation on user-controlled parameters within the plugin's document generation system. When attackers manipulate the shortcode parameters, they can construct URLs that reference arbitrary order IDs without proper authorization checks. This occurs because the system relies on order_key values for authentication rather than implementing robust access control mechanisms that verify user permissions against specific order data. The vulnerability operates under the CWE-284 access control weakness framework, where insufficient controls allow unauthorized users to access resources they should not be able to reach. The attack vector is particularly dangerous because it enables session-free access to sensitive documents, meaning that once an attacker discovers a valid order key, they can repeatedly access those documents without maintaining an active session or re-authenticating.

The operational impact of this vulnerability extends far beyond simple data exposure, as it provides attackers with comprehensive access to customer information that could be used for identity theft, financial fraud, and targeted phishing attacks. The compromised data includes personally identifiable information such as names, addresses, email addresses, and phone numbers, along with business-critical details like order totals, payment methods, and customer notes. This information is particularly valuable in the current threat landscape where cybercriminals often combine multiple data breaches to create more sophisticated attack vectors. The exposure affects not only individual customers but also businesses that rely on WooCommerce for their operations, as the breach can compromise customer trust and potentially lead to regulatory penalties under data protection laws like gdpr and ccpa. Attackers can leverage this vulnerability to systematically harvest order information from multiple merchants, creating comprehensive databases of consumer purchasing behavior and personal details.

The exploitation conditions require specific plugin configuration settings to be in place, particularly when the Document link access type is set to 'full' rather than the default 'logged_in' value. This configuration choice fundamentally changes how access control operates within the plugin, switching from session-based authentication to order-key-based access that lacks proper authorization checks. The default 'logged_in' setting implements per-session nonce verification which prevents unauthorized access to third-party orders, making this vulnerability only exploitable when administrators configure the plugin with less secure settings. This design decision highlights a common security pattern where plugin developers may prioritize user convenience over security, inadvertently creating pathways for exploitation. Organizations should consider this vulnerability in the context of the ATT&CK framework's credential access and privilege escalation techniques, as it enables attackers to harvest credentials and access tokens through legitimate access points within the system.

Mitigation strategies must address both immediate configuration changes and long-term architectural improvements to prevent similar vulnerabilities from occurring in the future. Organizations should immediately verify that their plugin configurations are set to 'logged_in' access type rather than 'full' when generating document links, as this single change will eliminate the exploitation pathway for the current vulnerability. Additionally, administrators should implement regular security audits of their WordPress plugins and ensure that all software components are updated to the latest versions where available. The recommended approach includes implementing role-based access controls that limit which users can generate and access specific types of documents, along with logging and monitoring systems that track document generation activities for suspicious patterns. Organizations should also consider implementing additional security layers such as ip whitelisting for administrative functions and multi-factor authentication for privileged accounts to reduce the overall attack surface and prevent unauthorized access even if one component is compromised.

Responsible

Wordfence

Reservation

06/23/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!