CVE-2026-1906 Overview
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 5.6.0. The vulnerability exists in the wpo_ips_edi_save_order_customer_peppol_identifiers AJAX action, which lacks proper capability checks and order ownership validation. This security flaw allows authenticated attackers with Subscriber-level access or higher to modify Peppol/EDI endpoint identifiers for any customer by manipulating the order_id parameter.
Critical Impact
Authenticated attackers can modify Peppol endpoint identifiers (peppol_endpoint_id, peppol_endpoint_eas) for arbitrary orders, potentially causing payment disruptions, order routing failures on the Peppol network, and sensitive data leakage on affected e-commerce systems.
Affected Products
- PDF Invoices & Packing Slips for WooCommerce plugin versions ≤ 5.6.0
- WordPress sites using Peppol invoicing functionality
- WooCommerce stores with EDI/Peppol integration enabled
Discovery Timeline
- 2026-02-18 - CVE-2026-1906 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-1906
Vulnerability Analysis
This Insecure Direct Object Reference vulnerability stems from missing authorization controls in the plugin's AJAX handler responsible for managing Peppol/EDI customer identifiers. The wpo_ips_edi_save_order_customer_peppol_identifiers function processes requests without verifying that the authenticated user owns the specified order or has administrative privileges to modify it.
When a user submits a request to update Peppol identifiers, the plugin accepts an order_id parameter that directly references a WooCommerce order object. Because there is no validation to confirm the requesting user's relationship to the order, any authenticated user with at least Subscriber-level access can specify arbitrary order IDs and overwrite the Peppol endpoint configuration for other customers' orders.
The Peppol network is a standardized e-invoicing framework used extensively in European business-to-business transactions. Tampering with these identifiers can redirect invoices to incorrect recipients, disrupt automated payment workflows, and expose sensitive business transaction data to unauthorized parties.
Root Cause
The vulnerability is classified under CWE-862 (Missing Authorization). The root cause is the absence of capability checks and ownership validation in the AJAX action handler. Specifically:
- The function does not verify that the current user has appropriate WordPress capabilities (such as manage_woocommerce or edit_shop_orders)
- There is no check to confirm that the authenticated user is the owner of the order being modified
- The order_id parameter is directly used without sanitization or authorization context
The vulnerable code can be examined in the plugin source at Admin.php line 72 and line 895.
Attack Vector
The attack is executed over the network and requires authentication with at least Subscriber-level privileges. An attacker can exploit this vulnerability by:
- Registering or compromising a WordPress account with Subscriber-level access on the target site
- Identifying valid order IDs through enumeration or other information disclosure methods
- Sending crafted AJAX requests to the wpo_ips_edi_save_order_customer_peppol_identifiers action with the target order ID and attacker-controlled Peppol endpoint values
- The modified Peppol identifiers are saved, redirecting future invoices and potentially capturing sensitive financial data
The vulnerability requires low privileges and no user interaction, making it relatively straightforward to exploit on sites where user registration is enabled and Peppol invoicing is active.
Detection Methods for CVE-2026-1906
Indicators of Compromise
- Unexpected modifications to peppol_endpoint_id or peppol_endpoint_eas metadata fields in WooCommerce orders
- AJAX requests to wpo_ips_edi_save_order_customer_peppol_identifiers from users without administrative or shop manager roles
- Audit log entries showing Peppol identifier changes initiated by Subscriber-level accounts
- Customer complaints about misdirected invoices or payment issues on the Peppol network
Detection Strategies
- Implement WordPress activity logging to track AJAX action calls and the user roles initiating them
- Monitor for bulk or automated requests to the vulnerable endpoint from low-privilege accounts
- Review WooCommerce order metadata for unauthorized changes to Peppol-related fields
- Set up alerts for Peppol identifier modifications that don't correlate with legitimate administrative activity
Monitoring Recommendations
- Enable comprehensive audit logging using plugins such as WP Activity Log or Wordfence
- Configure real-time alerts for sensitive order metadata modifications
- Regularly audit user accounts and their associated activity, particularly Subscriber-level accounts
- Monitor outbound Peppol network traffic for anomalies that may indicate invoice routing manipulation
How to Mitigate CVE-2026-1906
Immediate Actions Required
- Update the PDF Invoices & Packing Slips for WooCommerce plugin to a patched version beyond 5.6.0
- Review recent order modifications for suspicious Peppol identifier changes
- Temporarily disable user registration if not required until the patch is applied
- Audit all user accounts with Subscriber-level access and above for suspicious activity
Patch Information
The vendor has released security updates to address this vulnerability. Administrators should update through the WordPress plugin management interface or download the latest version from the WordPress Plugin Directory. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict user registration on WordPress sites until the plugin can be updated
- Implement a Web Application Firewall (WAF) rule to block AJAX requests to wpo_ips_edi_save_order_customer_peppol_identifiers from non-administrative users
- Temporarily disable Peppol/EDI functionality if not immediately critical to business operations
- Add custom capability checks via a security plugin or custom code snippet to validate user permissions before the AJAX handler executes
# Example: Block vulnerable AJAX action via .htaccess (temporary workaround)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*admin-ajax\.php$ [NC]
RewriteCond %{QUERY_STRING} action=wpo_ips_edi_save_order_customer_peppol_identifiers [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
