CVE-2026-52704 CRITICAL

CVE-2026-52704: WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability

Vendor Edgar Rojas

Product WooCommerce PDF Invoice Builder

Weakness CWE-94 · Code injection

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated

Identifiers

CVE CVE-2026-52704

CWE CWE-94

CVSS 10.0 / CRITICAL

Affected versions

Vendor Edgar Rojas

Product WooCommerce PDF Invoice Builder

Affected ≥ n/a and ≤ 2.0.8