CVE-2026-1906 MEDIUM

CVE-2026-1906: PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification

Vendor Wpovernight
Product PDF Invoices & Packing Slips for WooCommerce
Weakness CWE-862 · Missing authorization
Published February 18, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data leakage.

Explanation of Vulnerability in Simple Terms

02Summary

The PDF Invoices & Packing Slips for WooCommerce plugin through version 5.6.0 lacks proper authorization checks on certain functions. A logged-in user with low privileges can modify invoice or packing slip data without proper permission validation. The vulnerability affects data integrity but does not expose sensitive information or disrupt site availability.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify invoice or packing slip records without proper authorization.

Potential impact on your site

04Site Impact

Invoice and packing slip data can be altered by unauthorized users, affecting order records and fulfillment accuracy.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WooCommerce account (e.g., customer or subscriber role).

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE