CVE-2024-3047: WooCommerce PDF Invoices SSRF Vulnerability

CVE-2024-3047 Overview

CVE-2024-3047 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in the PDF Invoices & Packing Slips for WooCommerce plugin for WordPress. The flaw affects all versions up to and including 3.8.0 and resides in the plugin's transform() function. Unauthenticated attackers can coerce the vulnerable WordPress server into issuing arbitrary HTTP requests to internal or external destinations. Attackers can use this primitive to probe internal services, read metadata endpoints, or interact with non-public APIs reachable from the host.

Critical Impact
Unauthenticated attackers can pivot through the WordPress server to reach internal network services, potentially exposing cloud metadata, intranet resources, and non-internet-facing APIs.

Affected Products

WPovernight PDF Invoices & Packing Slips for WooCommerce, versions ≤ 3.8.0
WordPress installations running the affected plugin
WooCommerce stores integrated with the affected plugin

Discovery Timeline

2024-05-02 - CVE-2024-3047 published to the National Vulnerability Database (NVD)
2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2024-3047

Vulnerability Analysis

The vulnerability resides in the plugin's transform() function, which processes user-supplied URLs without sufficient validation or allow-listing. The plugin issues outbound HTTP requests using attacker-controlled input, allowing requests to be redirected toward internal hosts. Because the request originates from the WordPress server, it can bypass network perimeter controls that restrict direct external access to internal services.

The weakness is classified as Server-Side Request Forgery [CWE-918]. Successful exploitation yields limited confidentiality and integrity impact according to the CVSS vector, but the scope is changed because the impacted resource sits beyond the vulnerable component's security authority. The flaw does not require authentication or user interaction, which lowers the barrier for opportunistic mass scanning.

Root Cause

The transform() function accepts URL input and dispatches server-side HTTP requests without restricting destination hosts, schemes, or IP ranges. The function lacks checks for loopback addresses (127.0.0.0/8), link-local addresses (169.254.0.0/16), private RFC 1918 ranges, and non-HTTP schemes. This permissive design allows arbitrary destinations to be reached from the WordPress server context.

Attack Vector

An unauthenticated remote attacker sends a crafted HTTP request to the vulnerable plugin endpoint, supplying a URL that targets an internal resource. The WordPress server resolves the URL and issues the request on the attacker's behalf. Targets of interest include cloud instance metadata services (such as http://169.254.169.254/), internal admin panels, databases bound to localhost, and other plugins exposing local-only endpoints. The response or response side-effects can be observed depending on plugin behavior.

No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-3047

Indicators of Compromise

Outbound HTTP requests from the WordPress PHP process to 169.254.169.254, 127.0.0.1, or RFC 1918 ranges
Web server access logs containing requests to plugin endpoints with URL parameters pointing to internal hosts or cloud metadata endpoints
Unexpected DNS lookups originating from the WordPress host for internal hostnames

Detection Strategies

Inspect web server logs for requests targeting the PDF Invoices & Packing Slips plugin with suspicious url-style parameters containing internal IPs, file://, gopher://, or other non-HTTPS schemes
Correlate plugin endpoint hits with outbound network flows from the web server to non-public destinations
Compare installed plugin versions against 3.8.0 and flag hosts running affected releases

Monitoring Recommendations

Alert on PHP-FPM or web server processes initiating connections to instance metadata services or loopback ports
Monitor egress traffic from WordPress hosts and baseline expected outbound destinations
Enable Wordfence or equivalent WordPress security telemetry to flag known SSRF patterns against this plugin

How to Mitigate CVE-2024-3047

Immediate Actions Required

Upgrade the PDF Invoices & Packing Slips for WooCommerce plugin to a version later than 3.8.0
Audit WordPress hosts for the affected plugin version using wp plugin list or equivalent inventory tooling
Restrict egress traffic from WordPress servers to known-required destinations only

Patch Information

The vendor addressed the issue in a release tracked by WordPress Plugin Changeset 3076105. Update to the latest available version of the plugin through the WordPress admin dashboard or via WP-CLI using wp plugin update woocommerce-pdf-invoices-packing-slips.

Workarounds

Deploy a Web Application Firewall (WAF) rule blocking requests to the plugin's endpoints when parameters reference internal IP ranges or non-HTTP schemes
Apply network-level egress filtering to block WordPress server access to cloud metadata endpoints such as 169.254.169.254
Configure instance metadata service v2 (IMDSv2) on AWS hosts to require session tokens, reducing SSRF impact
Temporarily deactivate the plugin if patching is not immediately feasible

bash

# Update the affected plugin via WP-CLI
wp plugin update woocommerce-pdf-invoices-packing-slips

# Verify the installed version
wp plugin get woocommerce-pdf-invoices-packing-slips --field=version

# Block egress to AWS metadata service at the host level
iptables -A OUTPUT -d 169.254.169.254 -j DROP