CVE-2025-53203

Overview

Cross-Site Request Forgery (CSRF) vulnerability in the EDGARROJAS WooCommerce PDF Invoice Builder plugin (woo-pdf-invoice-builder) for WordPress allows a remote attacker to trick a higher-privileged user into performing unintended actions under the victim's current authentication session [1]. The issue affects all versions up to and including 1.2.148 [1].

Exploitation

To exploit this vulnerability, an attacker must convince a privileged user—such as a site administrator—to click a malicious link, visit a crafted page, or submit a specially designed form [1]. No authentication is required on the attacker's part, but successful execution depends on user interaction from an already-authenticated victim [1].

Impact

If exploited, the attacker can force the victim to carry out actions within the plugin's functionality without their consent, potentially leading to unauthorized settings changes or data modifications [1]. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact typically achievable through CSRF [1].

Mitigation

The vendor has resolved the vulnerability with the release of version 1.2.149 of the plugin [1]. Users are strongly advised to update immediately, or to enable automatic updates for vulnerable plugins if using Patchstack [1]. No workarounds are mentioned beyond applying the patch.