Login Sign Up

CVE-2025-13773

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress servers running the Print Invoice & Delivery Notes for WooCommerce plugin. The flaw combines missing capability checks, PHP execution in Dompdf, and template escaping issues. All WordPress sites using this plugin up to version 5.8.0 are affected.

💻 Affected Systems

Products:
  • Print Invoice & Delivery Notes for WooCommerce WordPress plugin
Versions: All versions up to and including 5.8.0
Operating Systems: Any OS running WordPress with PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WooCommerce to be installed, but all default configurations are vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware installation, ransomware deployment, or website defacement.

🟠

Likely Case

Attackers gain shell access to the server, install backdoors, steal sensitive data, or use the server for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit once details are understood, requiring minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.1 or later

Vendor Advisory: https://wordpress.org/plugins/woocommerce-delivery-notes/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Print Invoice & Delivery Notes for WooCommerce'. 4. Click 'Update Now' if available. 5. If not, download version 5.8.1+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable PHP in Dompdf

all

Modify Dompdf configuration to disable PHP execution

Edit includes/front/vendor/dompdf/dompdf/src/Options.php and set 'isPhpEnabled' => false

Add capability check

all

Add authentication check to the vulnerable update function

Add 'if (!current_user_can('manage_options')) { wp_die(); }' before line 347 in class-woocommerce-delivery-notes.php

🧯 If You Can't Patch

  • Immediately disable or remove the Print Invoice & Delivery Notes for WooCommerce plugin
  • Implement strict WAF rules to block requests to the vulnerable endpoint and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Print Invoice & Delivery Notes for WooCommerce → Version. If version is 5.8.0 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Print Invoice & Delivery Notes for WooCommerce' --field=version

Verify Fix Applied:

After updating, verify version shows 5.8.1 or higher in WordPress plugins page.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=wcdn_update_template
  • Unusual PHP execution in Dompdf logs
  • Suspicious file creation in WordPress directories

Network Indicators:

  • HTTP requests with malicious payloads in template parameters
  • Outbound connections from WordPress server to unknown IPs

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "wcdn_update_template")

📊 Metadata

CVE ID: CVE-2025-13773
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.43% exploit probability (61.7th percentile)
Published: December 24, 2025
Last Updated: December 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13773, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)