CVE-2025-13773
Unknown Unknown - Not Provided
Remote Code Execution in WooCommerce Delivery Notes Plugin

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: Wordfence

Description
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13773
EUVD
EUVD-2025-205036
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce delivery_notes *
dompdf dompdf *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13773 is a critical remote code execution (RCE) vulnerability in the Print Invoice & Delivery Notes for WooCommerce WordPress plugin (versions up to 5.8.0). It arises because the 'WooCommerce_Delivery_Notes::update' function lacks proper capability checks, combined with PHP execution being enabled in the Dompdf PDF rendering library and missing output escaping in the 'template.php' file. This allows unauthenticated attackers to execute arbitrary PHP code on the server by exploiting these weaknesses. The vulnerability was fixed in version 5.9.0 by disabling PHP execution in Dompdf, adding input sanitization and validation, enforcing nonce verification and permission checks, and improving output escaping to prevent code injection. [1, 4, 5]

Impact Analysis

This vulnerability can have severe impacts including allowing unauthenticated attackers to execute arbitrary code on your server remotely. This can lead to full compromise of the server hosting the WordPress site, unauthorized access to sensitive data, defacement, data loss, or use of the server for malicious activities. Because the vulnerability enables remote code execution without authentication, it poses a high risk to the confidentiality, integrity, and availability of your system and data. [1, 4]

Detection Guidance

To detect this vulnerability on your system, you can check the version of the WooCommerce Delivery Notes plugin installed on your WordPress site. Versions up to and including 5.8.0 are vulnerable. You can verify the plugin version via the WordPress admin dashboard or by checking the plugin files. Additionally, you can look for signs of exploitation such as unexpected PHP files or unusual PDF generation behavior due to enabled PHP execution in Dompdf. Since the vulnerability involves missing capability checks and enabled PHP execution in Dompdf, monitoring for unauthorized access attempts to the 'update' function or suspicious PDF generation activity could help. Specific commands to check the plugin version on the server (if you have shell access) include: 1. Navigate to the plugin directory and check the version in the main plugin file or readme.txt, e.g., `grep 'Version' wp-content/plugins/woocommerce-delivery-notes/woocommerce-delivery-notes.php` 2. Use WP-CLI to list plugin versions: `wp plugin list | grep woocommerce-delivery-notes` 3. Check for presence of PHP execution enabled in Dompdf config by searching for `isPhpEnabled = true` in plugin files: `grep -r 'isPhpEnabled = true' wp-content/plugins/woocommerce-delivery-notes/` 4. Review web server logs for suspicious POST requests to admin AJAX endpoints related to WooCommerce Delivery Notes update functions. These steps can help identify if the vulnerable plugin version is present and if exploitation attempts are occurring. [1, 2]

Mitigation Strategies

The immediate mitigation step is to update the WooCommerce Delivery Notes plugin to version 5.9.0 or later, which contains the security fixes addressing CVE-2025-13773. The update disables PHP execution in the Dompdf library, adds proper input sanitization and validation, enforces nonce verification and capability checks, and improves output escaping to prevent remote code execution. If updating immediately is not possible, as a temporary measure, you can disable or restrict access to the plugin's update functionality, disable PHP execution in Dompdf if configurable, and restrict permissions to trusted administrators only. Monitoring and blocking suspicious requests targeting the vulnerable update function can also help reduce risk until the update is applied. [1]

Compliance Impact

The provided resources do not explicitly discuss the impact of CVE-2025-13773 on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows unauthenticated remote code execution on the server, it could potentially lead to unauthorized access or manipulation of sensitive customer data processed by the WooCommerce Delivery Notes plugin. Such unauthorized access or data breaches could negatively affect compliance with data protection regulations like GDPR or HIPAA. The update to version 5.9.0 mitigates this risk by implementing input sanitization, permission checks, and disabling PHP execution in PDF rendering, thereby reducing the likelihood of data compromise. Still, no direct statements about regulatory compliance impact are provided. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart