CVE-2025-47537 HIGH

CVE-2025-47537: WordPress PDF Invoice Builder for WooCommerce plugin <= 5.3.8 - SQL Injection Vulnerability

Vendor Add-Ons.org
Product PDF Invoice Builder for WooCommerce
Weakness CWE-89 · SQLi
Published May 7, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows SQL Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 5.3.8.

Explanation of Vulnerability in Simple Terms

02Summary

PDF Invoice Builder for WooCommerce versions up to 5.3.8 contain a SQL injection vulnerability in database queries. An attacker with high-level site privileges can craft malicious input to extract sensitive data from the database or disrupt site availability. The vulnerability requires administrative access to exploit and does not affect data integrity.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site database or cause temporary service disruption.

Potential impact on your site

04Site Impact

A compromised admin account could expose customer data, order details, or payment information stored in your database.

Conditions required to exploit

05Prerequisites

Attacker must have high-level site privileges (e.g., administrator or shop manager role).

Key dates

06Disclosure timeline

May 7, 2025 CVE published
April 28, 2026 Record updated