CVE-2024-3045
📋 TL;DR
This stored XSS vulnerability in the PDF Invoices & Packing Slips for WooCommerce WordPress plugin allows unauthenticated attackers to inject malicious scripts into web pages. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin version 3.8.0 or earlier are affected.
💻 Affected Systems
- PDF Invoices & Packing Slips for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as logged-in users, or deface the site by modifying page content.
If Mitigated
With proper web application firewalls and input validation, the risk reduces to minimal impact, though the vulnerability still exists in the codebase.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple script injection via insufficiently sanitized parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.8.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3076105/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PDF Invoices & Packing Slips for WooCommerce'. 4. Click 'Update Now' if available, or download version 3.8.1+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate woocommerce-pdf-invoices-packing-slips
Web Application Firewall Rule
allBlock XSS payloads targeting the vulnerable parameters
Add WAF rule to block scripts in PDF invoice parameters
🧯 If You Can't Patch
- Disable the PDF Invoices & Packing Slips plugin completely
- Implement strict Content Security Policy (CSP) headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'PDF Invoices & Packing Slips for WooCommerce' version 3.8.0 or earlierCheck Version:
wp plugin get woocommerce-pdf-invoices-packing-slips --field=versionVerify Fix Applied:
Verify plugin version is 3.8.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WooCommerce PDF endpoints with script tags
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing script tags in PDF invoice parameters
- Unusual traffic patterns to PDF generation endpoints
SIEM Query:
source="web_server_logs" AND (uri="*pdf-invoice*" OR uri="*packing-slip*") AND (content="<script>" OR content="javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/trunk/ubl/Transformers/AddressTransformer.php#L16
- https://plugins.trac.wordpress.org/changeset/3076105/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d0e5d24-5d65-4ed5-8086-347969cbd3ec?source=cve
- https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/trunk/ubl/Transformers/AddressTransformer.php#L16
- https://plugins.trac.wordpress.org/changeset/3076105/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d0e5d24-5d65-4ed5-8086-347969cbd3ec?source=cve
