CVE-2025-24373 – This vulnerability allows unauthorized users to... (How to Fix)

Q: What is the severity of CVE-2025-24373?

CVE-2025-24373 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows unauthorized users to access any PDF invoice or packing slip from a WooCommerce store by manipulating URL parameters. It affects all stores using the woocommerce-pdf-invoices-packing-slips plugin with guest document access enabled while users are logged out.

📋 TL;DR

This vulnerability allows unauthorized users to access any PDF invoice or packing slip from a WooCommerce store by manipulating URL parameters. It affects all stores using the woocommerce-pdf-invoices-packing-slips plugin with guest document access enabled while users are logged out.

💻 Affected Systems

Products:

woocommerce-pdf-invoices-packing-slips

Versions: All versions before 4.0.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when document access is set to 'guest' configuration option.

📦 What is this software?

Woocommerce Pdf Invoices\& Packing Slips by Wpovernight

View all CVEs affecting Woocommerce Pdf Invoices\& Packing Slips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all customer invoices containing sensitive PII, payment details, and order information, leading to data breach and regulatory violations.

🟠

Likely Case

Targeted access to specific customer invoices for identity theft, fraud, or competitive intelligence gathering.

🟢

If Mitigated

No impact if guest access is disabled or plugin is patched to version 4.0.0+.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining a guest document link first, then simple URL parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.0

Vendor Advisory: https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/security/advisories/GHSA-3j9m-cp35-94fr

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WooCommerce PDF Invoices & Packing Slips'. 4. Click 'Update Now' if update available. 5. Verify version is 4.0.0 or higher.

🔧 Temporary Workarounds

Disable Guest Document Access

all

Change document access setting from 'guest' to 'logged-in users only' to prevent exploitation.

🧯 If You Can't Patch

Immediately disable guest document access in plugin settings
Implement web application firewall rules to block URL parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → WooCommerce PDF Invoices & Packing Slips version. If below 4.0.0 and guest access enabled, vulnerable.

Check Version:

wp plugin list --name='woocommerce-pdf-invoices-packing-slips' --field=version

Verify Fix Applied:

Confirm plugin version is 4.0.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'bulk' parameter replacing 'my-account' in PDF document URLs
Unusual access patterns to PDF invoice endpoints from unauthenticated users

Network Indicators:

URL parameter manipulation attempts in web server logs
Bulk PDF download attempts from single IP

SIEM Query:

web.url:*bulk* AND web.url:*pdf* AND NOT user.authenticated:true

📊 Metadata

CVE ID: CVE-2025-24373

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.18% exploit probability (39.5th percentile)

Published: February 4, 2025

Last Updated: February 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24373, you might also want to check these: