CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-52704

CVSS 10.0v3.1pub. 2026-06-15

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

🤖 AI Analysis
How it works

The vulnerability results from improper code generation control (CWE-94), which allows an attacker to remotely inject and execute arbitrary code through a Remote Code Inclusion mechanism. The attack requires no authentication or user interaction, and the network vector and low attack complexity make it trivial to execute. The scope of the vulnerability extends beyond the plugin context itself (S:C), meaning it can impact the entire server environment.

Impact

An attacker can gain full control over the server hosting the WordPress site — read, modify or delete data, install a backdoor or conduct lateral movement in the infrastructure.

Mitigation & patch

The WooCommerce PDF Invoice Builder plugin must be updated immediately to a version higher than 2.0.8 according to information available in the WordPress repository and the Patchstack database. Until the update is applied, it is recommended to deactivate the plugin.

Who is affected

WordPress WooCommerce PDF Invoice Builder plugin by Edgar Rojas in versions from its inception through 2.0.8 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References