CVE-2026-52704
Received Received - Intake
Code Injection in WooCommerce PDF Invoice Builder

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-52704
EUVD
EUVD-2026-36720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack woocommerce_pdf_invoice_builder From 2.0.0 (inc) to 2.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52704 is a critical vulnerability in the WooCommerce PDF Invoice Builder plugin for WordPress, affecting versions up to 2.0.8. It is a Remote Code Execution (RCE) flaw caused by improper control of code generation, also known as code injection.

This vulnerability allows attackers to execute arbitrary commands on the affected website remotely, potentially gaining backdoor access and full control over the site.

The flaw can be exploited by users with only Subscriber-level privileges, making it easier for attackers to leverage this issue.

Compliance Impact

The vulnerability allows remote code execution, enabling attackers to execute arbitrary commands and gain full control over affected websites.

Such unauthorized access and control can lead to data breaches, unauthorized data manipulation, and exposure of sensitive information.

Consequently, organizations using the vulnerable WooCommerce PDF Invoice Builder plugin may face non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data.

Impact Analysis

This vulnerability can have severe impacts including complete takeover of your website by attackers.

  • Attackers can execute arbitrary commands remotely.
  • They can gain backdoor access to your website.
  • Full control of the affected website can be achieved by the attacker.

Such control can lead to data theft, defacement, malware distribution, or using your site as part of a larger attack campaign.

Detection Guidance

The vulnerability affects WooCommerce PDF Invoice Builder Plugin versions 2.0.8 and below, allowing remote code execution. Detection involves identifying if the vulnerable plugin version is installed and monitoring for suspicious activity indicative of exploitation attempts.

Specific commands are not provided in the available resources. However, general detection steps include checking the plugin version installed on your WordPress site and monitoring web server logs for unusual requests or commands that could indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation involves updating the WooCommerce PDF Invoice Builder Plugin to version 2.0.9 or later, where the vulnerability is patched.

If updating is not possible immediately, it is recommended to apply the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.

Additionally, seeking assistance from your hosting provider or a web developer can help implement temporary protections until the update can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart