CVE-2026-39472

Vulnerability

The WooCommerce PDF Invoices & Packing Slips plugin for WordPress is vulnerable to PHP Object Injection in versions before 5.9.0. The vulnerability exists due to insecure deserialization of user-supplied input, allowing an attacker to inject arbitrary PHP objects. No authentication is required for exploitation, and the attack vector is through crafted input [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request containing a serialized PHP object to the vulnerable plugin endpoint. The plugin deserializes the object, enabling the attacker to trigger arbitrary code execution if a suitable POP chain is present in the environment [1].

Impact

Successful exploitation could lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other impacts depending on the available POP chain. The attacker could gain full control of the affected WordPress site, leading to complete compromise [1].

Mitigation

Update to version 5.9.0 or later to resolve the vulnerability. Patchstack users can enable auto-update for vulnerable plugins. Until the update is applied, Patchstack provides a mitigation rule to block attacks [1].