Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for woocommerce-pdf-invoices-packing-slips by wpovernight

    CVE-2025-24373 (GCVE-0-2025-24373)

    Vulnerability from nvd – Published: 2025-02-04 18:45 – Updated: 2025-02-12 20:51
    VLAI
    Title
    Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips
    Summary
    woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store's document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24373",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T20:05:23.120044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:51:28.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "woocommerce-pdf-invoices-packing-slips",
              "vendor": "wpovernight",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print \u0026 automatically email PDF invoices \u0026 packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store\u0027s document access is set to \"guest.\" and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-04T18:45:51.078Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/security/advisories/GHSA-3j9m-cp35-94fr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/security/advisories/GHSA-3j9m-cp35-94fr"
            },
            {
              "name": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/commit/6daeff87f8a7f941f0f7cf4637f41d22c4428c30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/commit/6daeff87f8a7f941f0f7cf4637f41d22c4428c30"
            }
          ],
          "source": {
            "advisory": "GHSA-3j9m-cp35-94fr",
            "discovery": "UNKNOWN"
          },
          "title": "Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-24373",
        "datePublished": "2025-02-04T18:45:51.078Z",
        "dateReserved": "2025-01-20T15:18:26.992Z",
        "dateUpdated": "2025-02-12T20:51:28.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24373 (GCVE-0-2025-24373)

    Vulnerability from cvelistv5 – Published: 2025-02-04 18:45 – Updated: 2025-02-12 20:51
    VLAI
    Title
    Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips
    Summary
    woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store's document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24373",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T20:05:23.120044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:51:28.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "woocommerce-pdf-invoices-packing-slips",
              "vendor": "wpovernight",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print \u0026 automatically email PDF invoices \u0026 packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store\u0027s document access is set to \"guest.\" and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-04T18:45:51.078Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/security/advisories/GHSA-3j9m-cp35-94fr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/security/advisories/GHSA-3j9m-cp35-94fr"
            },
            {
              "name": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/commit/6daeff87f8a7f941f0f7cf4637f41d22c4428c30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/commit/6daeff87f8a7f941f0f7cf4637f41d22c4428c30"
            }
          ],
          "source": {
            "advisory": "GHSA-3j9m-cp35-94fr",
            "discovery": "UNKNOWN"
          },
          "title": "Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-24373",
        "datePublished": "2025-02-04T18:45:51.078Z",
        "dateReserved": "2025-01-20T15:18:26.992Z",
        "dateUpdated": "2025-02-12T20:51:28.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }