CVE-2025-64269

Vulnerability

Overview CVE-2025-64269 is a Missing Authorization vulnerability in the EDGARROJAS WooCommerce PDF Invoice Builder plugin (woo-pdf-invoice-builder) for WordPress [1]. The issue affects all versions from n/a through 1.2.150. The root cause is that the plugin incorrectly configures access control security levels, allowing functions to be executed without proper authorization checks [1].

Exploitation

This is a Broken Access Control vulnerability that can be exploited over the network without requiring authentication or user interaction [1]. Attackers can leverage this to perform actions normally reserved for higher-privileged users, such as administrators. The vulnerability is categorized as having a low severity (CVSS v3 score 4.3) and is considered unlikely to be exploited in isolation, but it is the type of flaw that can be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation allows an unprivileged attacker to bypass access controls and potentially access or modify sensitive data, including PDF invoices, without proper authorization [1]. The impact is limited to unauthorized access to functionality that should require higher privileges, but does not directly lead to complete site compromise.

Mitigation

The vendor has released version 1.2.151, which patches the missing authorization issue by implementing proper access control checks [1]. Users are strongly advised to update to this version or later immediately. Those running Patchstack can enable auto-updates for vulnerable plugins [1].