A critical remote code execution vulnerability has been identified in "The Print Invoice & Delivery Notes for WooCommerce" WordPress plugin. This flaw, tracked as CVE-2025-13773, allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the website, data theft, and further network intrusion. Due to the lack of an authentication requirement and the high severity score, immediate patching is required to prevent exploitation.

This vulnerability is a result of a chain of three weaknesses. First, the WooCommerce_Delivery_Notes::update function lacks a proper capability check, allowing it to be triggered by any user, including unauthenticated visitors. Second, user-supplied data passed to this function is used within the template.php file without proper sanitization or escaping. Third, the Dompdf library utilized by the plugin is configured to permit the execution of inline PHP code. An unauthenticated attacker can craft a malicious request to the update function, injecting PHP code into a template field, which is then executed by Dompdf on the server, resulting in Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the extreme risk it poses to the organization. Successful exploitation allows an attacker to gain full control over the underlying web server. Potential consequences include theft of sensitive data such as customer information and payment details, website defacement, distribution of malware to visitors, and using the compromised server as a pivot point to attack other internal systems. The potential for reputational damage, regulatory fines, and financial loss is significant.

Immediate Action: Immediately update "The Print Invoice & Delivery Notes for WooCommerce" plugin to the latest version, which contains the security patch for this vulnerability. After patching, review server access logs and audit for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Security teams should monitor for indicators of compromise, including unusual POST requests to WordPress admin functions related to the vulnerable plugin. Scrutinize web server logs for requests targeting the WooCommerce_Delivery_Notes::update function, especially from unknown IP addresses. Monitor for unexpected processes spawned by the web server user (e.g., www-data, apache) and any suspicious outbound network connections that could indicate a reverse shell.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) rule to block requests containing malicious payloads targeting the vulnerable function.
• Temporarily disable the plugin until it can be safely updated.
• Harden the server's PHP configuration by disabling potentially dangerous functions like exec(), shell_exec(), and system() if they are not essential for the website's operation.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the fact that this vulnerability can be exploited by an unauthenticated attacker, this issue represents a clear and present danger to any organization using the affected plugin. We strongly recommend that the remediation plan be executed as a top priority. All internet-facing websites using this plugin must be patched immediately without delay to prevent a full system compromise. Although not currently on the CISA KEV list, the severity warrants treating it with the same level of urgency.