CVE-2026-49056

Vulnerability

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress versions 4.9.4 and earlier contain an unauthenticated sensitive data exposure vulnerability. This flaw arises from insufficient access controls on certain endpoint or functionality, allowing the exposure of information that should be protected. According to the advisory [1], the vulnerability affects all installations running version 4.9.4 or below.

Exploitation

An attacker can exploit this vulnerability without any authentication. The attacker only needs network access to the affected WordPress site. By sending a crafted request to a vulnerable endpoint, the attacker can retrieve sensitive data that is normally restricted to authenticated users. No user interaction or special privileges are required.

Impact

Successful exploitation leads to the disclosure of sensitive information, such as customer details, order data, or other confidential information stored in the plugin. This could be used to launch further attacks or compromise privacy. The exposure occurs at the unauthenticated level, giving the attacker a broad scope of accessed data.

Mitigation

The vulnerability is fixed in version 4.9.5 of the plugin. Users are strongly advised to update immediately. If immediate update is not possible, consult a hosting provider or web developer for assistance. According to Patchstack [1], no virtual patch can be assigned due to the nature of the vulnerability. The vulnerability is expected to be targeted in mass-exploit campaigns.