CVE-2026-52704 Overview
CVE-2026-52704 is a code injection vulnerability in the Edgar Rojas WooCommerce PDF Invoice Builder plugin for WordPress. The flaw allows remote code inclusion against any installation running version 2.0.8 or earlier. Unauthenticated attackers can execute arbitrary code on the WordPress host over the network without user interaction. The issue is categorized under [CWE-94] Improper Control of Generation of Code.
Critical Impact
Unauthenticated remote attackers can include and execute arbitrary code, achieving full compromise of the WordPress site and underlying server.
Affected Products
- Edgar Rojas WooCommerce PDF Invoice Builder plugin for WordPress
- All versions from initial release through 2.0.8
- WordPress sites running WooCommerce with this plugin enabled
Discovery Timeline
- 2026-06-15 - CVE-2026-52704 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-52704
Vulnerability Analysis
The WooCommerce PDF Invoice Builder plugin fails to properly control how externally supplied input is incorporated into code generation paths. An attacker can supply a remote resource that the plugin then includes and evaluates during request processing. Because the inclusion occurs in PHP execution context, the supplied payload runs with the privileges of the web server user.
The vulnerability requires no authentication and no user interaction. The attack scope is changed, meaning exploitation impacts resources beyond the vulnerable component itself, such as other plugins, themes, and the host operating system. Successful exploitation breaks confidentiality, integrity, and availability of the affected site.
Root Cause
The root cause is improper neutralization of attacker-controlled input that flows into a code generation or file inclusion routine. Input that should be treated as data is instead interpreted as executable code or as a path to a remote resource. The plugin lacks validation that would restrict inclusion sources to a trusted allowlist of local files.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to a plugin endpoint that processes user input as a code or file source. The plugin retrieves the attacker-controlled resource and includes it in the PHP execution context. The included content executes as PHP, granting the attacker arbitrary code execution. From there, attackers can establish persistence, exfiltrate database contents, pivot to adjacent systems, or deploy webshells.
For technical specifics, refer to the Patchstack WooCommerce Plugin Vulnerability advisory.
Detection Methods for CVE-2026-52704
Indicators of Compromise
- Unexpected outbound HTTP or HTTPS requests originating from the WordPress server during invoice generation flows
- New or modified PHP files under wp-content/uploads/, wp-content/plugins/woo-pdf-invoice-builder/, or the WordPress root
- WordPress administrator accounts created without a corresponding audit log entry
- Web server processes spawning shell utilities such as sh, bash, wget, or curl
Detection Strategies
- Inspect web access logs for requests to WooCommerce PDF Invoice Builder endpoints containing remote URLs or PHP wrapper schemes such as php://, data://, or http:// in parameters
- Hunt for PHP processes invoking include, require, or eval on dynamically constructed paths via web application firewall telemetry
- Compare plugin file hashes against a known-good baseline from the vendor distribution
Monitoring Recommendations
- Enable WordPress audit logging for plugin file changes, user creation, and option modifications
- Forward web server, PHP-FPM, and WordPress logs to a centralized analytics platform for correlation
- Alert on web server users executing operating system commands or writing to PHP files outside expected upload directories
How to Mitigate CVE-2026-52704
Immediate Actions Required
- Disable or remove the WooCommerce PDF Invoice Builder plugin until a patched version is confirmed installed
- Restrict access to WordPress admin and plugin endpoints with IP allowlisting at the web server or WAF layer
- Review the WordPress installation for webshells, unauthorized administrator accounts, and modified core or plugin files
- Rotate WordPress administrator credentials, database passwords, and any API keys stored in wp-config.php
Patch Information
No fixed version was identified in the available references at the time of publication. Monitor the Patchstack advisory and the plugin's WordPress.org page for a vendor-supplied update beyond version 2.0.8.
Workarounds
- Deactivate the plugin in the WordPress admin until a verified patch is available
- Deploy a web application firewall rule that blocks requests containing remote URL schemes or PHP wrappers in query parameters and POST bodies
- Set allow_url_include = Off and allow_url_fopen = Off in php.ini to prevent remote file inclusion at the interpreter level
- Restrict the web server user's filesystem write permissions to only the directories required for WordPress operation
# Configuration example
# Disable remote inclusion in php.ini
allow_url_include = Off
allow_url_fopen = Off
# Deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate woo-pdf-invoice-builder
wp plugin delete woo-pdf-invoice-builder
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
