CVE-2026-1906
IDOR Vulnerability in WooCommerce PDF Invoices Plugin Risks Data Integrity
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_overnight | pdf_invoices_and_packing_slips_for_woocommerce | to 5.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 5.6.0. This vulnerability exists in the AJAX action `wpo_ips_edi_save_order_customer_peppol_identifiers` because it lacks proper capability checks and order ownership validation.
As a result, authenticated users with Subscriber-level access or higher can modify Peppol/EDI endpoint identifiers for any customer by specifying an arbitrary order ID. This means they can change identifiers like `peppol_endpoint_id` and `peppol_endpoint_eas` on systems using Peppol invoicing.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized modification of Peppol/EDI endpoint identifiers associated with customer orders. Such changes can affect the routing of orders on the Peppol network.
The consequences may include payment disruptions and potential data leakage, as the altered identifiers could misroute invoices or expose sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action in the WooCommerce PDF Invoices & Packing Slips plugin, which lacks proper capability checks and order ownership validation. Detection would involve monitoring or testing this AJAX endpoint for unauthorized modifications of Peppol/EDI endpoint identifiers by authenticated users with Subscriber-level access or higher.
Specific commands or detection scripts are not provided in the available resources. However, network or system administrators could monitor HTTP requests targeting the AJAX action `wpo_ips_edi_save_order_customer_peppol_identifiers` and check for suspicious attempts to modify `peppol_endpoint_id` or `peppol_endpoint_eas` parameters with arbitrary `order_id` values.
Since no explicit detection commands or tools are mentioned in the provided resources, custom monitoring or penetration testing targeting this AJAX action would be necessary.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WooCommerce PDF Invoices & Packing Slips plugin to a version later than 5.6.0 where this vulnerability is fixed, as all versions up to and including 5.6.0 are affected.
If an immediate update is not possible, restrict access to the affected AJAX action by limiting authenticated user capabilities or applying firewall rules to block unauthorized AJAX requests targeting `wpo_ips_edi_save_order_customer_peppol_identifiers`.
Additionally, review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher, minimizing the risk of exploitation.