CVE-2026-1906
Description
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the wpo_ips_edi_save_order_customer_peppol_identifiers AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (peppol_endpoint_id, peppol_endpoint_eas) for any customer by specifying an arbitrary order_id parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.6.0/includes/Admin.phpnvd
- wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/2e1922c6-e63b-47aa-97de-1e2382fa25d3nvd
News mentions
0No linked articles in our index yet.