External risk intelligence

WooCommerce PDF Invoice Builder Code Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-52704

A critical vulnerability exists in a WooCommerce PDF Invoice Builder plugin, enabling remote code inclusion. Attackers can potentially execute arbitrary code, impacting system integrity and availability. It is crucial to identify if this plugin is deployed within the environment to assess its relevance and exposure.

4Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-52704

The vulnerability affects a WooCommerce plugin, which is typically used in public-facing e-commerce web applications. Such plugins are designed to be integrated into websites accessible over the internet to manage storefront operations and customer document generation.

PCI scan relevance

PCI Relevance for CVE-2026-52704

Yes

CVE-2026-52704 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code inclusion, a serious security flaw that can lead to unauthorized code execution and impact PCI DSS compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a WooCommerce plugin that allows for remote code inclusion. This means an attacker could potentially embed malicious code into the system, which could impact the integrity and availability of operations. The primary concern at this time is to confirm if this plugin is in use within our environment.

  • Code can be injected remotely.
  • Confirms usage of this specific plugin.
  • Assess relevance and exposure of this plugin.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable website. This could allow them to include and execute arbitrary code on the server, potentially leading to a compromise of the entire system. The vulnerability is present in a WooCommerce plugin designed for generating PDF invoices.

  • No authentication or user interaction needed.
  • Triggered by sending malicious requests.
  • Allows remote code inclusion and execution.

Live Threat

Current exploitation, exposure, and threat context

An Improper Control of Generation of Code vulnerability in a WooCommerce PDF Invoice Builder plugin could allow remote code inclusion. This means an attacker could potentially insert and run their own code on a system, impacting service behavior and sensitive information when supported by the advisory.

  • System code and configuration at risk.
  • Attacker could include malicious code remotely.
  • Compromised service and potential data exposure.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in WooCommerce PDF Invoice Builder, allowing remote code inclusion, likely impacts e-commerce platforms. The first practical move is to identify all instances of this plugin, confirm their reachability and business criticality, and then assign ownership for remediation.

  • Plugin owners, e-commerce platform administrators.
  • Verify plugin presence and exposure.
  • Coordinate vendor updates and risk mitigation.

Frequently asked questions

What is the WooCommerce PDF Invoice Builder plugin?

It is a WordPress extension designed to automate the creation and management of PDF invoices for online stores. By integrating directly into the e-commerce workflow, it generates documents for customers, functioning as a server-side utility that processes order data to produce portable electronic invoices.

What does the code injection vulnerability in CVE-2026-52704 mean?

This vulnerability, classified as CWE-94, refers to a failure to properly restrict how code is generated or processed. Essentially, it allows an unauthorized party to input and execute their own commands on your server. Because the plugin does not safely validate these inputs, it treats malicious instructions as legitimate system tasks, leading to unintended and potentially full system control.

How is this vulnerability triggered?

An attacker initiates the bug by sending specially crafted network requests to a website running the affected plugin. It does not require the attacker to have an account, nor does it rely on human interaction like clicking a link. Note that simple browsing or routine use of the invoice builder by your own staff does not trigger the issue; the flaw requires specific, malicious input designed to exploit the code injection weakness.

Why should I be concerned about CVE-2026-52704?

According to Halo Surface Signal, this plugin is typically used on public-facing e-commerce sites, which are inherently reachable over the internet. Because the vulnerability allows remote code inclusion, any instance of this plugin exposed to the web provides a potential entry point for attackers to compromise the server without needing to bypass standard login screens.

Do I need to take action if I use this plugin?

Yes, you should immediately inventory your systems to confirm if you are running versions of the WooCommerce PDF Invoice Builder plugin from n/a through 2.0.8. Once identified, evaluate the plugin's business necessity and reachability. Coordinate with your team to determine if an update is available or if the component must be disabled until a secure version is deployed to protect your server environment.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished