CVE-2026-24946

Vulnerability

Overview

The Print Invoice & Delivery Notes for WooCommerce plugin (woocommerce-delivery-notes) for WordPress contains a missing authorization vulnerability affecting versions from n/a through 5.8.0. This issue arises from incorrectly configured access control security levels, allowing exploitation of broken access controls [1].

Exploitation

Details

The vulnerability is classified as Broken Access Control, meaning there is a missing authorization, authentication, or nonce token check in a function. This could allow an unprivileged user to execute higher-privileged actions [1]. Attackers can potentially target thousands of websites in mass-exploit campaigns, regardless of site traffic or popularity [1].

Impact

If exploited, an attacker could gain unauthorized access to functions or data that should be restricted, potentially compromising the security of WooCommerce-based online stores. The CVSS v3 base score is 6.5 (Medium), indicating a moderate severity risk [1].

Mitigation

The vendor has released version 5.9.0 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack has also issued a mitigation rule to block attacks until the update is applied [1].