CVE-2025-67589

Vulnerability

Overview

CVE-2025-67589 is a missing authorization vulnerability in the WordPress plugin WooCommerce PDF Invoices & Packing Slips, affecting versions from n/a through 4.9.1. The plugin fails to properly enforce proper access control checks, allowing exploitation of incorrectly configured security levels that are incorrectly configured [1]. This is classified as a Broken Access Control issue, meaning a function lacks necessary authorization, authentication, or nonce token checks [1].

Exploitation

An attacker does not need elevated privileges to exploit this flaw; the missing authorization means an unprivileged user can execute actions that should require higher privileges [1]. The attack surface is the plugin's functions that are exposed without proper access validation. No authentication bypass or special network position is required beyond being able to interact with the WordPress instance.

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as viewing or modifying PDF invoices and packing slips, or other administrative functions that the plugin exposes. The CVSS v3 score is 4.3 (Medium), indicating a moderate severity [1]. The vendor notes that this vulnerability has low severity impact and is unlikely to be exploited, but it is still a security risk [1].

Mitigation

The vulnerability is patched in version 5.0.0 of the plugin. Users are strongly advised to update immediately [1]. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].