CVE-2023-4161 MEDIUM

CVE-2023-4161: WooCommerce PDF Invoice Builder <= 1.2.90 - Cross-Site Request Forgery to Custom Field Creation

Vendor Edgarrojas
Product PDF Builder for WooCommerce. Create invoices,packing slips and more
Weakness CWE-352 · CSRF
Published August 31, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can trick an admin into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

August 31, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-47181 WordPress Email Templates Plugin <= 1.4.2 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-49354 WordPress Recent Posts From Each Category plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability CVE-2022-1914 Clean-Contact <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2021-24161 Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload CVE-2025-62107 WordPress Feather Login Page plugin <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability