WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs

An unauthenticated attacker can enumerate sequential WooCommerce order IDs and directly request invoice HTML files from `wp-content/uploads/whatsorder_invoices/order-{N}.html`. Because the `yapacdev_generate_order_pdf()` function [ref_id=1][ref_id=2] writes invoices to a publicly accessible directory with no access control, the attacker can extract sensitive customer PII — full name, email, phone, billing address, ordered items, prices, coupons, shipping method, and order total — from any order. No authentication or special privileges are required; the only precondition is that the site has at least one order processed through the WhatsOrder payment gateway.

The vulnerability resides in the `yapacdev_generate_order_pdf()` function in `whatsorder-instant-checkout-for-woocommerce.php` [ref_id=1][ref_id=2]. This function writes an HTML invoice file to `wp-content/uploads/whatsorder_invoices/` using a predictable filename (`order-{order_id}.html`) and returns the public URL without any authentication or access control. The directory is created without an `.htaccess` deny rule or `index.php` guard, making every invoice directly downloadable over HTTP.

The patch does not appear in the provided bundle; however, the advisory indicates the fix must prevent unauthenticated access to the invoice directory. The recommended remediation is to place an `.htaccess` file with `Deny from all` (or equivalent server configuration) inside `wp-content/uploads/whatsorder_invoices/` and add an `index.php` guard to prevent directory listing. Additionally, the `yapacdev_generate_order_pdf()` function should be modified to serve invoice files through a WordPress-verified download handler that checks capabilities rather than writing directly to a public web-accessible path.