CVE-2025-13773 Overview
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability in all versions up to and including 5.8.0. The vulnerability exists in the WooCommerce_Delivery_Notes::update function due to a combination of a missing capability check, PHP code execution enabled in Dompdf, and insufficient output escaping in the template.php file. This chain of security weaknesses allows unauthenticated attackers to execute arbitrary code on vulnerable WordPress servers.
Critical Impact
Unauthenticated attackers can achieve full remote code execution on WordPress servers running vulnerable versions of this WooCommerce plugin, potentially leading to complete server compromise, data theft, and website defacement.
Affected Products
- Print Invoice & Delivery Notes for WooCommerce plugin versions up to and including 5.8.0
- WordPress installations with the vulnerable plugin installed
- WooCommerce stores using this plugin for invoice and delivery note generation
Discovery Timeline
- December 24, 2025 - CVE-2025-13773 published to NVD
- December 29, 2025 - Last updated in NVD database
Technical Details for CVE-2025-13773
Vulnerability Analysis
This vulnerability represents a classic code injection flaw (CWE-94) that enables unauthenticated remote code execution. The attack chain exploits three distinct weaknesses that, when combined, create a severe security risk. The WooCommerce_Delivery_Notes::update function lacks proper authorization checks, allowing any user—authenticated or not—to invoke it. The plugin bundles Dompdf with PHP evaluation capabilities enabled, providing a code execution vector. Finally, the invoice template.php file fails to properly escape user-controlled input before it reaches the Dompdf renderer.
When Dompdf processes a specially crafted PDF template containing embedded PHP code, the PhpEvaluator class executes the malicious payload with the privileges of the web server process. This grants attackers the ability to run arbitrary system commands, read sensitive files, establish persistent backdoors, or pivot to other systems on the network.
Root Cause
The root cause stems from multiple defense-in-depth failures: the absence of capability checks in critical plugin functions, enabling of dangerous Dompdf features that allow PHP code evaluation during PDF rendering, and inadequate input sanitization and output escaping in template files. The update function at line 347 of class-woocommerce-delivery-notes.php and the PhpEvaluator class at line 52 of PhpEvaluator.php are central to the vulnerability chain.
Attack Vector
This is a network-accessible vulnerability that requires no authentication or user interaction. An attacker can remotely exploit this vulnerability by sending specially crafted requests to the WordPress installation. The malicious payload is processed through the plugin's PDF generation functionality, where the Dompdf library evaluates any embedded PHP code. The attack complexity is low, making this vulnerability particularly dangerous for internet-facing WordPress sites.
Due to the sensitive nature of this vulnerability and the lack of verified code examples, detailed exploitation techniques are not provided here. Security researchers can review the plugin source code and the Wordfence vulnerability report for technical details.
Detection Methods for CVE-2025-13773
Indicators of Compromise
- Unexpected PHP files or webshells appearing in WordPress directories, particularly within the wp-content/plugins/woocommerce-delivery-notes/ path
- Anomalous POST requests to WordPress admin-ajax.php or plugin endpoints containing PHP code snippets or embedded script tags
- Web server logs showing requests with encoded PHP payloads targeting the WooCommerce Delivery Notes plugin
- New or modified cron jobs, user accounts, or database entries indicating persistent access
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing PHP code patterns targeting this plugin's endpoints
- Monitor WordPress error logs and web server access logs for unusual activity related to the woocommerce-delivery-notes plugin
- Implement file integrity monitoring (FIM) on WordPress installation directories to detect unauthorized file modifications
- Use WordPress security plugins to scan for known malicious code patterns and unexpected file changes
Monitoring Recommendations
- Enable verbose logging for the WordPress installation and monitor for PHP execution errors or warnings
- Set up alerts for new process spawning from the web server user (www-data, apache, nginx)
- Monitor outbound network connections from the WordPress server for potential command-and-control communications
- Review WordPress user accounts and plugin settings regularly for unauthorized changes
How to Mitigate CVE-2025-13773
Immediate Actions Required
- Update the Print Invoice & Delivery Notes for WooCommerce plugin to the latest patched version immediately
- If immediate patching is not possible, deactivate and remove the vulnerable plugin until a fix can be applied
- Audit WordPress installations for signs of compromise, including unauthorized files, users, or database modifications
- Review web server and WordPress logs for exploitation attempts
Patch Information
A patch has been released to address this vulnerability. The fix is documented in the plugin changeset 3426119. Administrators should update to the latest version of the Print Invoice & Delivery Notes for WooCommerce plugin through the WordPress admin dashboard or by downloading the updated plugin directly from the WordPress plugin repository. The patch adds proper capability checks to the update function and implements appropriate output escaping in the template files.
Workarounds
- Disable or uninstall the Print Invoice & Delivery Notes for WooCommerce plugin until it can be updated to a patched version
- Implement IP-based access restrictions to the WordPress admin area and plugin endpoints using web server configuration
- Deploy a web application firewall (WAF) with rules specifically blocking PHP code injection patterns
- If the plugin must remain active, consider restricting access to the PDF generation functionality through htaccess or nginx configuration rules
# Apache: Restrict access to plugin directory (temporary mitigation)
<Directory "/var/www/html/wp-content/plugins/woocommerce-delivery-notes">
Order deny,allow
Deny from all
# Allow only trusted IP addresses if needed
# Allow from 192.168.1.0/24
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
