A high-severity Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Flexible PDF Invoices for WooCommerce & WordPress plugin. This flaw could allow a remote attacker to trick a logged-in administrator into performing unintended actions, such as modifying plugin settings or manipulating invoice data, without their consent. Successful exploitation could compromise the integrity of the site's e-commerce and invoicing functions, leading to potential data loss and operational disruption.

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw. It exists because the plugin fails to implement or properly validate anti-CSRF tokens (nonces) on state-changing requests within its administrative interface. An attacker can exploit this by crafting a malicious URL or web page that triggers a specific action within the vulnerable plugin. If a logged-in administrator is tricked into visiting this malicious page, their browser will automatically send the request along with their active session cookies, causing the WordPress site to execute the attacker's command as if it were a legitimate action performed by the administrator.

This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could have a significant business impact, particularly for e-commerce sites relying on this plugin for financial documentation. An attacker could maliciously alter invoice templates, change numbering schemes, or modify other critical settings, leading to the loss of data integrity, financial discrepancies, and potential customer disputes. The disruption of a core business process like invoicing can damage the organization's reputation and lead to direct financial loss.

Immediate Action:

• Immediately update the "Flexible PDF Invoices for WooCommerce & WordPress" plugin to the latest patched version provided by the vendor (wpdesk).
• After updating, review the plugin's configuration to ensure no unauthorized changes were made.
• If the plugin is not critical to business operations, consider deactivating and removing it to reduce the overall attack surface.

Proactive Monitoring:

• Monitor web server and application logs for unusual or unexpected requests to the plugin's administrative functions, particularly those with suspicious referrer URLs.
• Implement a Web Application Firewall (WAF) to detect and block generic CSRF attack patterns.
• Regularly audit plugin settings and invoice data for any unauthorized or anomalous modifications.

Compensating Controls:

• If immediate patching is not feasible, configure a Web Application Firewall (WAF) with specific rules to block CSRF attempts against the plugin's endpoints.
• Enforce a policy requiring administrators to log out of their WordPress sessions when not actively performing administrative tasks.
• Train administrative users to be suspicious of unsolicited links and to avoid browsing other websites while logged into the WordPress backend.

Public Exploit Available: False

This vulnerability poses a high risk to business operations and data integrity. We strongly recommend that all organizations using the "Flexible PDF Invoices for WooCommerce & WordPress" plugin apply the security update provided by the vendor as a matter of urgency. Although this vulnerability is not currently on the CISA KEV list, its potential impact on critical e-commerce functions warrants immediate remediation to prevent exploitation.