CVE-2026-1906
Received Received - Intake
IDOR Vulnerability in WooCommerce PDF Invoices Plugin Risks Data Integrity

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1906
EUVD
EUVD-2026-8057
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_overnight pdf_invoices_and_packing_slips_for_woocommerce to 5.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 5.6.0. This vulnerability exists in the AJAX action `wpo_ips_edi_save_order_customer_peppol_identifiers` because it lacks proper capability checks and order ownership validation.

As a result, authenticated users with Subscriber-level access or higher can modify Peppol/EDI endpoint identifiers for any customer by specifying an arbitrary order ID. This means they can change identifiers like `peppol_endpoint_id` and `peppol_endpoint_eas` on systems using Peppol invoicing.

Impact Analysis

This vulnerability can impact you by allowing unauthorized modification of Peppol/EDI endpoint identifiers associated with customer orders. Such changes can affect the routing of orders on the Peppol network.

The consequences may include payment disruptions and potential data leakage, as the altered identifiers could misroute invoices or expose sensitive information.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action in the WooCommerce PDF Invoices & Packing Slips plugin, which lacks proper capability checks and order ownership validation. Detection would involve monitoring or testing this AJAX endpoint for unauthorized modifications of Peppol/EDI endpoint identifiers by authenticated users with Subscriber-level access or higher.

Specific commands or detection scripts are not provided in the available resources. However, network or system administrators could monitor HTTP requests targeting the AJAX action `wpo_ips_edi_save_order_customer_peppol_identifiers` and check for suspicious attempts to modify `peppol_endpoint_id` or `peppol_endpoint_eas` parameters with arbitrary `order_id` values.

Since no explicit detection commands or tools are mentioned in the provided resources, custom monitoring or penetration testing targeting this AJAX action would be necessary.

Mitigation Strategies

Immediate mitigation steps include updating the WooCommerce PDF Invoices & Packing Slips plugin to a version later than 5.6.0 where this vulnerability is fixed, as all versions up to and including 5.6.0 are affected.

If an immediate update is not possible, restrict access to the affected AJAX action by limiting authenticated user capabilities or applying firewall rules to block unauthorized AJAX requests targeting `wpo_ips_edi_save_order_customer_peppol_identifiers`.

Additionally, review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher, minimizing the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart