Introduction
A WordPress plugin used by over 2,000 WooCommerce stores to generate PDF invoices contains a code injection flaw that scores a perfect CVSS 10.0, allowing any user with a basic Subscriber account to execute arbitrary code on the server. The WooCommerce PDF Invoice Builder, developed by Edgar Rojas under the RedNao brand, reached version 2.0.9 on June 10, 2026 to address CVE-2026-52704, but every prior version through 2.0.8 remains vulnerable.
The WooCommerce PDF Invoice Builder (WordPress plugin slug: woo-pdf-invoice-builder) is a drag and drop template builder for creating PDF invoices, packing slips, and related documents within WooCommerce stores. It supports multi language configurations via WPML and Polylang, QR codes, conditional logic, and password protected PDFs. While its 2,000+ active installations represent a relatively small footprint compared to larger WooCommerce invoice plugins, its deployment in e-commerce environments means compromised sites handle payment data and customer personally identifiable information.
Technical Information
Vulnerability Classification
CVE-2026-52704 is classified under CWE-94: Improper Control of Generation of Code, commonly referred to as "Code Injection." The NVD description specifies the attack as "Remote Code Inclusion," meaning the plugin dynamically includes or evaluates code from a source that an attacker can influence. The Patchstack advisory categorizes this under OWASP Top 10 category A3: Injection.
CWE-94 is distinct from command injection (CWE-77) in an important way: the injected code is executed by the application's own interpreter (in this case, PHP) rather than being passed to an operating system shell. As the MITRE CWE definition notes, "code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or storage."
Related attack patterns documented for CWE-94 include CAPEC-242 (Code Injection), CAPEC-35 (Leveraging Executable Code in Non-Executable Files), and CAPEC-77 (Manipulating User-Controlled Variables).
Attack Surface and Exploitation Requirements
The critical detail that elevates this vulnerability to CVSS 10.0 is the authentication requirement: exploitation requires only Subscriber level privileges. In WordPress, Subscriber is the lowest authenticated role, typically assigned by default to new user registrations. For WooCommerce stores, this is particularly relevant because customer account creation is a standard feature of the checkout flow. Any customer who has registered an account on a vulnerable store possesses the minimum privileges needed to exploit this flaw.
The key parameters of the vulnerability are:
| Parameter | Value |
|---|---|
| Vulnerability Type | Remote Code Execution / Remote Code Inclusion |
| CWE | CWE-94 |
| CVSS Score | 10.0 (Critical) |
| Required Privilege | Subscriber (lowest authenticated role) |
| OWASP Category | A3: Injection |
| Affected Versions | All versions through 2.0.8 |
| Patched Version | 2.0.9 |
Exploitation Mechanics
According to the Patchstack advisory, "this flaw could allow a malicious actor to execute commands on a target website to gain backdoor access and take full control." In practical terms, successful exploitation of a CWE-94 vulnerability in a PHP/WordPress context typically involves user input reaching a code execution sink without adequate sanitization. Common PHP functions that serve as code execution sinks include eval(), include(), require(), assert(), and preg_replace() with the e modifier.
The MITRE CWE-94 documentation illustrates the risk with an example where eval() processes input like __import__('subprocess').getoutput('rm -r *'), demonstrating how a single unsanitized dynamic code evaluation call can escalate to arbitrary command execution.
The specific code path, vulnerable function, and parameter within WooCommerce PDF Invoice Builder that enables this Remote Code Inclusion have not been publicly disclosed as of the NVD publication date. This is consistent with coordinated disclosure practices; the vulnerability was reported to Patchstack on May 25, 2026 by researcher "she11f" and published on June 15, 2026, a timeline of approximately three weeks.
Impact
Successful exploitation grants the attacker the ability to execute arbitrary PHP code on the server. In most WordPress hosting environments, this is equivalent to full system compromise. Specific consequences include:
- Deployment of web shells and persistent backdoors
- Exfiltration of the WordPress database, including customer records, payment metadata, and administrator credentials
- Modification of checkout flows to inject payment skimmers (Magecart style attacks)
- Lateral movement to other sites or services on shared hosting infrastructure
- Use of the compromised server as infrastructure for further attacks
Affected Systems and Versions
The vulnerability affects the WordPress plugin "PDF Builder for WooCommerce. Create invoices, packing slips and more" (slug: woo-pdf-invoice-builder) in all versions from the initial release through version 2.0.8. Version 2.0.9, last modified on June 10, 2026, is the patched release.
Key details about the affected software:
| Attribute | Value |
|---|---|
| Plugin Name | PDF Builder for WooCommerce |
| WordPress.org Slug | woo-pdf-invoice-builder |
| Author | EDGARROJAS (RedNao) |
| Active Installations | 2,000+ |
| Vulnerable Versions | All versions through 2.0.8 |
| Patched Version | 2.0.9 |
| Minimum WordPress Requirement | 3.3 |
| Originally Published | November 3, 2017 |
Any WordPress site running WooCommerce PDF Invoice Builder version 2.0.8 or earlier is affected. Sites that allow user registration (which is standard for WooCommerce stores) are at the highest risk because the Subscriber role required for exploitation is trivially obtainable.
The Patchstack advisory confirms that updating to version 2.0.9 or later resolves the vulnerability. Patchstack also offers virtual patching as an interim measure for organizations that cannot immediately update. Additional compensating controls include disabling user registration to prevent creation of new Subscriber accounts, auditing and removing unnecessary low privilege accounts, deploying WAF rules targeting code injection patterns, implementing network segmentation to contain potential compromise, and enabling file integrity monitoring for early detection of post-exploitation activity.
Vendor Security History
The WooCommerce PDF Invoice Builder has accumulated a significant history of security vulnerabilities across its lifecycle. The following table summarizes known issues documented by Patchstack, Wordfence, and WPScan:
| Vulnerability Type | Affected Version | Patched Version | Source |
|---|---|---|---|
| Remote Code Execution (RCE) | <= 2.0.8 | 2.0.9 | Patchstack |
| Broken Access Control | <= 1.2.150 | 1.2.151 | Patchstack |
| Missing Authorization | <= 1.2.150 | 1.2.151 | Wordfence |
| Cross Site Request Forgery (CSRF) | <= 1.2.148 | 1.2.149 | Wordfence |
| Reflected Cross Site Scripting (XSS) | <= 1.2.136 | 1.2.137 | Wordfence |
| CSRF (Save and Custom Field Creation) | <= 1.2.101 | Not specified | WPScan |
| Authenticated (Administrator+) XSS | <= 1.2.90 | Not specified | Patchstack |
| Sensitive Information Exposure | <= 1.2.91 | Not specified | Patchstack |
The changelog for the plugin also references security fixes in earlier versions: version 1.2.114 notes a "Fixed security issue in the pdf error resolver" and version 1.2.104 notes "Fixed CVE-2023-46076."
This progression from CSRF and XSS through broken access control to a full CVSS 10.0 RCE suggests systemic weaknesses in the plugin's input validation and authorization enforcement rather than isolated coding errors. The plugin does participate in the Patchstack vulnerability disclosure program (Active VDP), which provides a formal channel for researchers to report issues. However, the frequency and escalating severity of discovered vulnerabilities warrants consideration of whether continued use of this plugin aligns with an organization's risk tolerance.
Threat Landscape Context
As of the NVD publication date of June 15, 2026, no public sources confirm active exploitation of CVE-2026-52704 in the wild. The CVE has not appeared in the CISA Known Exploited Vulnerabilities Catalog.
However, the broader threat landscape for WordPress plugin RCE vulnerabilities provides important context for risk assessment. In recent months, several comparable vulnerabilities have been actively exploited:
- A critical vulnerability in the Funnel Builder plugin (affecting 40,000+ WooCommerce stores) was exploited to inject malicious JavaScript into checkout pages.
- CVE-2026-3300 in the Everest Forms Pro plugin was actively exploited to hijack vulnerable websites.
- CVE-2026-1357 in the WPvivid plugin allowed unauthenticated RCE, enabling attackers to upload PHP files and take over sites.
WordPress plugin RCE vulnerabilities are routinely targeted by automated botnets that scan for vulnerable installations and deploy web shells, e-commerce skimmer operators running Magecart style attacks against WooCommerce checkout flows, and ransomware operators who leverage initial access through WordPress vulnerabilities.
The combination of a CVSS 10.0 score, low authentication barrier, and e-commerce deployment context means the window for proactive patching before exploitation begins is likely measured in days, not weeks.
References
- NVD Entry for CVE-2026-52704
- Patchstack Advisory: Remote Code Execution (RCE) in WordPress WooCommerce PDF Invoice Builder Plugin
- WordPress.org Plugin Page: PDF Builder for WooCommerce
- MITRE CWE-94: Improper Control of Generation of Code
- Patchstack: WooCommerce PDF Invoice Builder Vulnerability History
- Wordfence: WooCommerce PDF Invoice Builder Vulnerability Timeline
- WPScan: PDF Builder for WooCommerce
- Wordfence: WooCommerce PDF Invoice Builder <= 1.2.148 CSRF
- Wordfence: WooCommerce PDF Invoice Builder <= 1.2.150 Missing Authorization
- Wordfence: PDF Builder for WooCommerce <= 1.2.136 Reflected XSS
- Patchstack: Broken Access Control in WooCommerce PDF Invoice Builder <= 1.2.150
- CISA Known Exploited Vulnerabilities Catalog



