Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
The vulnerability results from improper code generation control (CWE-94), which allows an attacker to remotely inject and execute arbitrary code through a Remote Code Inclusion mechanism. The attack requires no authentication or user interaction, and the network vector and low attack complexity make it trivial to execute. The scope of the vulnerability extends beyond the plugin context itself (S:C), meaning it can impact the entire server environment.
An attacker can gain full control over the server hosting the WordPress site — read, modify or delete data, install a backdoor or conduct lateral movement in the infrastructure.
The WooCommerce PDF Invoice Builder plugin must be updated immediately to a version higher than 2.0.8 according to information available in the WordPress repository and the Patchstack database. Until the update is applied, it is recommended to deactivate the plugin.
WordPress WooCommerce PDF Invoice Builder plugin by Edgar Rojas in versions from its inception through 2.0.8 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H