CVE-2025-24373— Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips

Unrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips

woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store's document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

N/A

信息暴露

PDF Invoices & Packing Slips for WooCommerce 信息泄露漏洞

PDF Invoices & Packing Slips for WooCommerce是WP Overnight开源的一个为 WooCommerce 订单创建、打印和自动发送 PDF 发票的工具。 PDF Invoices & Packing Slips for WooCommerce 4.0.0之前版本存在信息泄露漏洞，该漏洞源于允许未经授权的用户访问商店中的任何PDF文档。

N/A

N/A