PatchSiren cyber security CVE debrief
CVE-2026-52704 Edgar Rojas CVE debrief
CVE-2026-52704 is a critical vulnerability in WooCommerce PDF Invoice Builder, a WordPress plugin. The vulnerability is classified as 'Improper Control of Generation of Code ('Code Injection')' and allows for Remote Code Inclusion. The CVSS score for this vulnerability is 10, indicating the highest severity. The vulnerability affects WooCommerce PDF Invoice Builder versions from n/a through 2.0.8.
- Vendor
- Edgar Rojas
- Product
- WooCommerce PDF Invoice Builder
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WooCommerce PDF Invoice Builder, particularly those using versions up to 2.0.8, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by improper control of code generation, allowing for remote code inclusion. This can be exploited by attackers to execute arbitrary code on the affected system.
Defensive priority
High
Recommended defensive actions
- Update WooCommerce PDF Invoice Builder to a version beyond 2.0.8.
- Review and restrict access to the plugin's functionality to prevent unauthorized use.
- Monitor for suspicious activity related to the plugin.
Evidence notes
The vulnerability was reported by Patchstack, as indicated by the reference link [ref-4].
Official resources
-
CVE-2026-52704 CVE record
CVE.org
-
CVE-2026-52704 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-52704 was published on 2026-06-15T14:16:36.380Z and has not been modified since then.