CVE-2025-13773

CRITICAL EXPLOITED NUCLEI

Print Invoice & Delivery Notes for WooCommerce <5.8.0 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-13773 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

Nuclei Templates (1)

WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
CRITICALVERIFIEDby PikaJuna-ops
FOFA: body="wp-content/plugins/woocommerce-delivery-notes/"

References (7)

Core 7
Core References

Scores

CVSS v3 9.8
EPSS 0.0874
EPSS Percentile 92.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-12-24
CWE
CWE-94
Status published
Products (1)
tychesoftwares/Print Invoice & Delivery Notes for WooCommerce < 5.8.0
Published Dec 24, 2025
Tracked Since Feb 18, 2026