Tyche Softwares Print Invoice & Delivery Notes for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:tychesoftwares:print_invoice_&_delivery_notes_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.8.0
Print Invoice & Delivery Notes for WooCommerce Remote Code Execution Vulnerability
Vulnerability
Patched
A remote code execution vulnerability exists in the Print Invoice & Delivery Notes for WooCommerce plugin, affecting all versions up to and including 5.8.0. The issue arises in the 'WooCommerce_Delivery_Notes::update' function, where a missing capability check allows unauthenticated attackers to execute code on the server. This vulnerability is exacerbated by PHP being enabled in Dompdf, which the plugin uses to generate PDF documents. The exploitation involves manipulating the invoice, receipt, or delivery note templates to execute arbitrary PHP code.
Impact
Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where the affected WordPress site is hosted.
Reproduction
To reproduce this vulnerability, upload a malicious PHP script to the WordPress site. Then, use the Print Invoice & Delivery Notes for WooCommerce plugin to create an invoice, receipt, or delivery note. The plugin will process the document using Dompdf, which executes PHP code. If the uploaded script is executed, the vulnerability has been successfully exploited.
Remediation
Users are advised to update the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later, where this vulnerability has been patched.
Added: Dec 24, 2025, 5:20 AM
Updated: Dec 24, 2025, 5:20 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
10.0exploitability
9.3remediation
7.7relevance
1.6threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.