/Vulnerability Library

WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution

CVE-2025-13773
Verified

Description

Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.

Severity

Critical

CVSS Score

9.8

Exploit Probability

3%

Affected Product

woocommerce-delivery-notes

Published Date

May 14, 2026

Template Author

pikajuna-ops

CVE-2025-13773.yaml
id: CVE-2025-13773

info:
  name: WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
  author: PikaJuna-ops
  severity: critical
  description: |
    Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version beyond 5.8.0.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769
    - https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes
    - https://nvd.nist.gov/vuln/detail/CVE-2025-13773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-13773
    epss-score: 0.032
    epss-percentile: 0.86595
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="wp-content/plugins/woocommerce-delivery-notes/"
    product: woocommerce-delivery-notes
    vendor: tychesoftwares
  tags: cve,cve2025,wordpress,wp-plugin,woocommerce-delivery-notes,rce,passive,vkev

http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/plugins/woocommerce-delivery-notes/readme.txt'

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "compare_versions(version, '<= 5.8.0')"
          - "contains(body, 'Print Invoice & Delivery Notes')"
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true
# digest: 490a00463044022067354fe1d490a05d39bcfa669d9818173a240b49b5d2606b7a2c936db3a2205b02201ee6009aad7bba4bce22715c729bd3ff257faa1bbb0af26dd7f42b30ed7664ee:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-13773
CWE ID:
cwe-94

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-noteshttps://nvd.nist.gov/vuln/detail/CVE-2025-13773

Remediation Steps

Update to the latest version beyond 5.8.0.