CVE-2025-13773
Remote Code Execution in WooCommerce Delivery Notes Plugin
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | delivery_notes | * |
| dompdf | dompdf | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13773 is a critical remote code execution (RCE) vulnerability in the Print Invoice & Delivery Notes for WooCommerce WordPress plugin (versions up to 5.8.0). It arises because the 'WooCommerce_Delivery_Notes::update' function lacks proper capability checks, combined with PHP execution being enabled in the Dompdf PDF rendering library and missing output escaping in the 'template.php' file. This allows unauthenticated attackers to execute arbitrary PHP code on the server by exploiting these weaknesses. The vulnerability was fixed in version 5.9.0 by disabling PHP execution in Dompdf, adding input sanitization and validation, enforcing nonce verification and permission checks, and improving output escaping to prevent code injection. [1, 4, 5]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing unauthenticated attackers to execute arbitrary code on your server remotely. This can lead to full compromise of the server hosting the WordPress site, unauthorized access to sensitive data, defacement, data loss, or use of the server for malicious activities. Because the vulnerability enables remote code execution without authentication, it poses a high risk to the confidentiality, integrity, and availability of your system and data. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check the version of the WooCommerce Delivery Notes plugin installed on your WordPress site. Versions up to and including 5.8.0 are vulnerable. You can verify the plugin version via the WordPress admin dashboard or by checking the plugin files. Additionally, you can look for signs of exploitation such as unexpected PHP files or unusual PDF generation behavior due to enabled PHP execution in Dompdf. Since the vulnerability involves missing capability checks and enabled PHP execution in Dompdf, monitoring for unauthorized access attempts to the 'update' function or suspicious PDF generation activity could help. Specific commands to check the plugin version on the server (if you have shell access) include: 1. Navigate to the plugin directory and check the version in the main plugin file or readme.txt, e.g., `grep 'Version' wp-content/plugins/woocommerce-delivery-notes/woocommerce-delivery-notes.php` 2. Use WP-CLI to list plugin versions: `wp plugin list | grep woocommerce-delivery-notes` 3. Check for presence of PHP execution enabled in Dompdf config by searching for `isPhpEnabled = true` in plugin files: `grep -r 'isPhpEnabled = true' wp-content/plugins/woocommerce-delivery-notes/` 4. Review web server logs for suspicious POST requests to admin AJAX endpoints related to WooCommerce Delivery Notes update functions. These steps can help identify if the vulnerable plugin version is present and if exploitation attempts are occurring. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WooCommerce Delivery Notes plugin to version 5.9.0 or later, which contains the security fixes addressing CVE-2025-13773. The update disables PHP execution in the Dompdf library, adds proper input sanitization and validation, enforces nonce verification and capability checks, and improves output escaping to prevent remote code execution. If updating immediately is not possible, as a temporary measure, you can disable or restrict access to the plugin's update functionality, disable PHP execution in Dompdf if configurable, and restrict permissions to trusted administrators only. Monitoring and blocking suspicious requests targeting the vulnerable update function can also help reduce risk until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-13773 on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows unauthenticated remote code execution on the server, it could potentially lead to unauthorized access or manipulation of sensitive customer data processed by the WooCommerce Delivery Notes plugin. Such unauthorized access or data breaches could negatively affect compliance with data protection regulations like GDPR or HIPAA. The update to version 5.9.0 mitigates this risk by implementing input sanitization, permission checks, and disabling PHP execution in PDF rendering, thereby reducing the likelihood of data compromise. Still, no direct statements about regulatory compliance impact are provided. [1]