We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: PDF Invoices & Packing Slips for WooCommerce plugin (CVE-2026-1906)

Nick Paliughi
On this page

Security Alert Summary

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress contains an insecure direct object reference vulnerability that allows authenticated users with Subscriber-level access and above to modify Peppol/EDI endpoint identifiers for arbitrary orders via a named AJAX action. This can affect order routing on the Peppol network and may cause payment disruptions or data leakage on sites using Peppol invoicing.

CVE Details

  • CVE ID: CVE-2026-1906
  • Affected plugin / component: PDF Invoices & Packing Slips for WooCommerce plugin for WordPress
  • Affected versions: All versions up to and including 5.6.0
  • Published: February 18, 2026 at 6:16:34 AM UTC
  • Last modified: February 18, 2026 at 6:16:34 AM UTC
  • CVSS v3.1 base score: 4.3
  • CVSS v3.1 severity: MEDIUM
  • CVSS v3.1 vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction:
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: LOW (authenticated users such as Subscribers and above)
    • User Interaction: NONE
    • Scope: UNCHANGED
  • Primary impact:
    • Confidentiality: NONE (per CVSS data)
    • Integrity: LOW — allows modification of Peppol/EDI endpoint identifiers
    • Availability: NONE
  • CWE / weakness ID: CWE-862

Technical Details

This vulnerability is an Insecure Direct Object Reference (IDOR) present in the plugin’s AJAX handling. The AJAX action wpo_ips_edi_save_order_customer_peppol_identifiers lacks proper capability checks and does not validate order ownership. Because these checks are missing, an authenticated user with low privileges (Subscriber-level and above) can submit a request specifying an arbitrary order_id and change the Peppol/EDI endpoint identifiers (peppol_endpoint_id, peppol_endpoint_eas) for that order’s customer.

The flaw exists due to missing authorization logic on the endpoint that processes the AJAX action: it neither verifies that the requesting user has the required capabilities nor confirms that the order being modified belongs to the requesting user or an authorized role. The direct effect is modification of routing-related fields used by Peppol invoicing systems.

Impact is limited to modification of those identifiers (integrity impact). The CVE description also notes this can affect order routing on the Peppol network and may result in payment disruptions and data leakage where Peppol invoicing is used.

How This Could Impact Your Website

On a typical WooCommerce site using this plugin and Peppol invoicing, consider a setup with a site owner (administrator), internal staff (shop managers or editors), and external contributors or contractors who have Subscriber or higher access for account maintenance.

  • An authenticated external contractor or low-privilege staff member could submit the AJAX request with a manipulated order_id and change the Peppol endpoint identifiers for another customer’s order.
  • Modified endpoint identifiers can cause invoices to be routed to incorrect endpoints on the Peppol network, potentially causing payment processing failures or misdirected invoices.
  • The CVE description mentions possible data leakage; depending on how endpoint identifiers and related metadata are used, this could expose information tied to orders or recipients used in invoicing workflows.

These outcomes do not necessarily imply full site compromise, but they can disrupt financial workflows and increase the risk of erroneous data disclosure. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and any accounts with more privileges than required.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site and order activity logs for unusual behavior, including unexpected changes to order metadata or endpoint identifiers.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Gutenberg Blocks with AI by Kadence WP Plugin Vulnerability (CVE-2026-2633)
Next Post
WordPress Security Bulletin: Dam Spam Plugin Vulnerability (CVE-2026-2112)