ZeroPath at Black Hat USA 2026

WooCommerce PDF Invoice Builder CVE-2026-52704: Overview of a CVSS 10.0 Remote Code Execution Vulnerability

A brief summary of CVE-2026-52704, a maximum severity remote code execution vulnerability in the WooCommerce PDF Invoice Builder WordPress plugin that requires only Subscriber level authentication to exploit.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-15

WooCommerce PDF Invoice Builder CVE-2026-52704: Overview of a CVSS 10.0 Remote Code Execution Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A WordPress plugin used by over 2,000 WooCommerce stores to generate PDF invoices contains a code injection flaw that scores a perfect CVSS 10.0, allowing any user with a basic Subscriber account to execute arbitrary code on the server. The WooCommerce PDF Invoice Builder, developed by Edgar Rojas under the RedNao brand, reached version 2.0.9 on June 10, 2026 to address CVE-2026-52704, but every prior version through 2.0.8 remains vulnerable.

The WooCommerce PDF Invoice Builder (WordPress plugin slug: woo-pdf-invoice-builder) is a drag and drop template builder for creating PDF invoices, packing slips, and related documents within WooCommerce stores. It supports multi language configurations via WPML and Polylang, QR codes, conditional logic, and password protected PDFs. While its 2,000+ active installations represent a relatively small footprint compared to larger WooCommerce invoice plugins, its deployment in e-commerce environments means compromised sites handle payment data and customer personally identifiable information.

Technical Information

Vulnerability Classification

CVE-2026-52704 is classified under CWE-94: Improper Control of Generation of Code, commonly referred to as "Code Injection." The NVD description specifies the attack as "Remote Code Inclusion," meaning the plugin dynamically includes or evaluates code from a source that an attacker can influence. The Patchstack advisory categorizes this under OWASP Top 10 category A3: Injection.

CWE-94 is distinct from command injection (CWE-77) in an important way: the injected code is executed by the application's own interpreter (in this case, PHP) rather than being passed to an operating system shell. As the MITRE CWE definition notes, "code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or storage."

Related attack patterns documented for CWE-94 include CAPEC-242 (Code Injection), CAPEC-35 (Leveraging Executable Code in Non-Executable Files), and CAPEC-77 (Manipulating User-Controlled Variables).

Attack Surface and Exploitation Requirements

The critical detail that elevates this vulnerability to CVSS 10.0 is the authentication requirement: exploitation requires only Subscriber level privileges. In WordPress, Subscriber is the lowest authenticated role, typically assigned by default to new user registrations. For WooCommerce stores, this is particularly relevant because customer account creation is a standard feature of the checkout flow. Any customer who has registered an account on a vulnerable store possesses the minimum privileges needed to exploit this flaw.

The key parameters of the vulnerability are:

ParameterValue
Vulnerability TypeRemote Code Execution / Remote Code Inclusion
CWECWE-94
CVSS Score10.0 (Critical)
Required PrivilegeSubscriber (lowest authenticated role)
OWASP CategoryA3: Injection
Affected VersionsAll versions through 2.0.8
Patched Version2.0.9

Exploitation Mechanics

According to the Patchstack advisory, "this flaw could allow a malicious actor to execute commands on a target website to gain backdoor access and take full control." In practical terms, successful exploitation of a CWE-94 vulnerability in a PHP/WordPress context typically involves user input reaching a code execution sink without adequate sanitization. Common PHP functions that serve as code execution sinks include eval(), include(), require(), assert(), and preg_replace() with the e modifier.

The MITRE CWE-94 documentation illustrates the risk with an example where eval() processes input like __import__('subprocess').getoutput('rm -r *'), demonstrating how a single unsanitized dynamic code evaluation call can escalate to arbitrary command execution.

The specific code path, vulnerable function, and parameter within WooCommerce PDF Invoice Builder that enables this Remote Code Inclusion have not been publicly disclosed as of the NVD publication date. This is consistent with coordinated disclosure practices; the vulnerability was reported to Patchstack on May 25, 2026 by researcher "she11f" and published on June 15, 2026, a timeline of approximately three weeks.

Impact

Successful exploitation grants the attacker the ability to execute arbitrary PHP code on the server. In most WordPress hosting environments, this is equivalent to full system compromise. Specific consequences include:

  1. Deployment of web shells and persistent backdoors
  2. Exfiltration of the WordPress database, including customer records, payment metadata, and administrator credentials
  3. Modification of checkout flows to inject payment skimmers (Magecart style attacks)
  4. Lateral movement to other sites or services on shared hosting infrastructure
  5. Use of the compromised server as infrastructure for further attacks

Affected Systems and Versions

The vulnerability affects the WordPress plugin "PDF Builder for WooCommerce. Create invoices, packing slips and more" (slug: woo-pdf-invoice-builder) in all versions from the initial release through version 2.0.8. Version 2.0.9, last modified on June 10, 2026, is the patched release.

Key details about the affected software:

AttributeValue
Plugin NamePDF Builder for WooCommerce
WordPress.org Slugwoo-pdf-invoice-builder
AuthorEDGARROJAS (RedNao)
Active Installations2,000+
Vulnerable VersionsAll versions through 2.0.8
Patched Version2.0.9
Minimum WordPress Requirement3.3
Originally PublishedNovember 3, 2017

Any WordPress site running WooCommerce PDF Invoice Builder version 2.0.8 or earlier is affected. Sites that allow user registration (which is standard for WooCommerce stores) are at the highest risk because the Subscriber role required for exploitation is trivially obtainable.

The Patchstack advisory confirms that updating to version 2.0.9 or later resolves the vulnerability. Patchstack also offers virtual patching as an interim measure for organizations that cannot immediately update. Additional compensating controls include disabling user registration to prevent creation of new Subscriber accounts, auditing and removing unnecessary low privilege accounts, deploying WAF rules targeting code injection patterns, implementing network segmentation to contain potential compromise, and enabling file integrity monitoring for early detection of post-exploitation activity.

Vendor Security History

The WooCommerce PDF Invoice Builder has accumulated a significant history of security vulnerabilities across its lifecycle. The following table summarizes known issues documented by Patchstack, Wordfence, and WPScan:

Vulnerability TypeAffected VersionPatched VersionSource
Remote Code Execution (RCE)<= 2.0.82.0.9Patchstack
Broken Access Control<= 1.2.1501.2.151Patchstack
Missing Authorization<= 1.2.1501.2.151Wordfence
Cross Site Request Forgery (CSRF)<= 1.2.1481.2.149Wordfence
Reflected Cross Site Scripting (XSS)<= 1.2.1361.2.137Wordfence
CSRF (Save and Custom Field Creation)<= 1.2.101Not specifiedWPScan
Authenticated (Administrator+) XSS<= 1.2.90Not specifiedPatchstack
Sensitive Information Exposure<= 1.2.91Not specifiedPatchstack

The changelog for the plugin also references security fixes in earlier versions: version 1.2.114 notes a "Fixed security issue in the pdf error resolver" and version 1.2.104 notes "Fixed CVE-2023-46076."

This progression from CSRF and XSS through broken access control to a full CVSS 10.0 RCE suggests systemic weaknesses in the plugin's input validation and authorization enforcement rather than isolated coding errors. The plugin does participate in the Patchstack vulnerability disclosure program (Active VDP), which provides a formal channel for researchers to report issues. However, the frequency and escalating severity of discovered vulnerabilities warrants consideration of whether continued use of this plugin aligns with an organization's risk tolerance.

Threat Landscape Context

As of the NVD publication date of June 15, 2026, no public sources confirm active exploitation of CVE-2026-52704 in the wild. The CVE has not appeared in the CISA Known Exploited Vulnerabilities Catalog.

However, the broader threat landscape for WordPress plugin RCE vulnerabilities provides important context for risk assessment. In recent months, several comparable vulnerabilities have been actively exploited:

  • A critical vulnerability in the Funnel Builder plugin (affecting 40,000+ WooCommerce stores) was exploited to inject malicious JavaScript into checkout pages.
  • CVE-2026-3300 in the Everest Forms Pro plugin was actively exploited to hijack vulnerable websites.
  • CVE-2026-1357 in the WPvivid plugin allowed unauthenticated RCE, enabling attackers to upload PHP files and take over sites.

WordPress plugin RCE vulnerabilities are routinely targeted by automated botnets that scan for vulnerable installations and deploy web shells, e-commerce skimmer operators running Magecart style attacks against WooCommerce checkout flows, and ransomware operators who leverage initial access through WordPress vulnerabilities.

The combination of a CVSS 10.0 score, low authentication barrier, and e-commerce deployment context means the window for proactive patching before exploitation begins is likely measured in days, not weeks.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization