PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13116 wpovernight CVE debrief

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This vulnerability allows authenticated attackers with contributor-level access and above to mint publicly accessible, session-free download links for arbitrary third-party orders. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. Exploitation requires the plugin's Document link access type setting to be configured to 'full'.

Vendor
wpovernight
Product
PDF Invoices & Packing Slips for WooCommerce
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Authenticated attackers with contributor-level access and above should be cautious as they can mint publicly accessible, session-free download links for arbitrary third-party orders. Operators of WooCommerce sites using the affected plugin should review and update the plugin to prevent exploitation.

Technical summary

The vulnerability exists in the PDF Invoices & Packing Slips for WooCommerce plugin for WordPress, specifically in the generate_document_shortcode function. The issue arises from missing validation on a user-controlled key, allowing attackers to access sensitive information such as customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential for sensitive information disclosure.

Recommended defensive actions

  • Review and update the plugin to a version beyond 5.14.0.
  • Restrict access to the generate_document_shortcode function.
  • Implement additional validation and sanitization for user-controlled input.
  • Monitor for suspicious activity and implement logging and alerting mechanisms.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The vulnerability was reported by [email protected] and is publicly disclosed in the CVE record and NVD detail pages. The reporter provided evidence of the vulnerability, but details are limited. Defenders should verify affected product deployments and review official advisories for validation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:32.123Z and has not been modified since then.