We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: PDF Invoices & Packing Slips for WooCommerce Plugin Vulnerability (CVE-2026-1906)

Nick Paliughi
On this page

Security Alert Summary

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is affected by an Insecure Direct Object Reference (IDOR) vulnerability in the plugin’s AJAX handling. Authenticated users with Subscriber-level access and above can modify Peppol/EDI endpoint identifiers for arbitrary orders by supplying an order_id parameter to a specific AJAX action, which can alter order routing on the Peppol network and may cause payment disruptions or data exposure in affected deployments.

CVE Details

  • CVE ID: CVE-2026-1906
  • Affected component: The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress
  • Affected versions: All versions up to and including 5.6.0
  • Published: February 18, 2026 at 6:16 AM UTC
  • Last modified: February 18, 2026 at 5:51 PM UTC
  • CVSS v3.1: Base Score 4.3, Severity MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: LOW (authenticated user privileges such as Subscriber)
    • User Interaction: NONE
    • Scope: UNCHANGED
    • Confidentiality Impact: NONE
    • Integrity Impact: LOW
    • Availability Impact: NONE
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (e.g., Subscriber-level or higher). No user interaction is required beyond sending the crafted request.
  • Primary impact: Integrity (low) — unauthorized modification of Peppol/EDI endpoint identifiers for orders. The CVE description also notes possible payment disruptions and data leakage in affected environments.
  • CWE: CWE-862 (Missing Authorization)

Technical Details

The vulnerability is an Insecure Direct Object Reference caused by missing capability checks and a lack of order ownership validation in an AJAX action handler. The CVE description identifies the AJAX action wpo_ips_edi_save_order_customer_peppol_identifiers as the entry point. By providing an arbitrary order_id parameter, an authenticated attacker with Subscriber-level access or higher can update the Peppol/EDI identifiers—specifically peppol_endpoint_id and peppol_endpoint_eas—for orders they do not own.

Because the plugin does not verify that the requesting user has permission to modify the specified order or perform the action, the attacker can target other customers’ orders. The impact described in the CVE includes altered order routing on the Peppol network, which can lead to payment disruptions. The CVE description also indicates the possibility of data leakage in environments using Peppol invoicing.

How This Could Impact Your Website

Consider a small e-commerce team with a site owner, internal staff (store managers or customer service representatives), and external contractors who have Subscriber or Contributor accounts for content or testing. An attacker who gains access to a Subscriber-level account—through credential reuse, weak passwords, or social engineering—could send requests that change Peppol/EDI endpoint identifiers for other customers’ orders by specifying different order_id values. This could cause orders to be routed to incorrect endpoints, interrupting invoice delivery or payment flows for affected customers.

Practical consequences include disrupted order processing, misrouted invoices on the Peppol network, and the description’s noted potential for data leakage related to invoicing details. Note that the CVSS metrics list confidentiality impact as NONE while the textual description mentions possible data leakage; both points are included here as reported in the CVE entry.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Review and reduce unnecessary user roles and privileges, especially for contributors and subscribers.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, especially unexpected AJAX requests that include order_id parameters or changes to Peppol/EDI identifiers.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Complianz  GDPR/CCPA Cookie Consent plugin for WordPress (CVE-2025-11185)
Next Post
WordPress Security Bulletin: The Popup Builder 2 Create highly converting, mobile friendly marketing popups. plugin for WordPress (CVE-2025-13079)