WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
CVE-2025-13773
Verified
Description
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
Severity
Critical
CVSS Score
9.8
Exploit Probability
3%
Affected Product
woocommerce-delivery-notes
Published Date
May 14, 2026
Template Author
pikajuna-ops
CVE-2025-13773.yaml
id: CVE-2025-13773
info:
name: WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
author: PikaJuna-ops
severity: critical
description: |
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
impact: |
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to the latest version beyond 5.8.0.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769
- https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes
- https://nvd.nist.gov/vuln/detail/CVE-2025-13773
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-13773
epss-score: 0.032
epss-percentile: 0.86595
cwe-id: CWE-94
metadata:
verified: true
max-request: 2
fofa-query: body="wp-content/plugins/woocommerce-delivery-notes/"
product: woocommerce-delivery-notes
vendor: tychesoftwares
tags: cve,cve2025,wordpress,wp-plugin,woocommerce-delivery-notes,rce,passive,vkev
http:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/woocommerce-delivery-notes/readme.txt'
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "compare_versions(version, '<= 5.8.0')"
- "contains(body, 'Print Invoice & Delivery Notes')"
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
# digest: 490a00463044022067354fe1d490a05d39bcfa669d9818173a240b49b5d2606b7a2c936db3a2205b02201ee6009aad7bba4bce22715c729bd3ff257faa1bbb0af26dd7f42b30ed7664ee:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-13773
CWE ID:
cwe-94
Remediation Steps
Update to the latest version beyond 5.8.0.