How is CVE-2026-39472 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): A shop manager account (or higher) is required; low-privilege subscriber-level accounts are not sufficient to trigger the injection. Victim interaction (not-required): No action from another user or administrator is needed to complete the attack. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental dependencies required.

What is the impact of CVE-2026-39472?

Reads any data accessible to the WordPress application, including stored order records, customer personally identifiable information, and payment-related metadata. Writes or modifies persisted database rows, including orders, user records, and plugin configuration. Can invoke arbitrary PHP object chains (POP gadgets) present in the application, potentially leading to remote code execution on the host server. Crashes or degrades the WordPress service if a destructive object chain is triggered during exploitation.

Back to search

HIGHCVE-2026-39472Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39472: WordPress WooCommerce PDF Invoices & Packing Slips plugin < 5.9.0 - PHP Object Injection vulnerability

Q: What is CVE-2026-39472?

PHP Object Injection in the WooCommerce PDF Invoices and Packing Slips WordPress plugin (versions before 5.9.0) allows an authenticated attacker with shop manager privileges to inject malicious PHP objects into the application. The vulnerability is reachable over the network and requires no victim interaction, but does require a high-privilege account to exploit. Successful exploitation gives the attacker full read, write, and availability control over the affected WordPress installation. A patched-image rebuild at version 5.9.0 is available on HarborGuard for affected environments.

Q: How is CVE-2026-39472 fixed?

A patched-image rebuild at version 5.9.0 is available on HarborGuard for any environment running an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: 5.9.0
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection in the WooCommerce PDF Invoices and Packing Slips WordPress plugin (versions before 5.9.0) allows an authenticated attacker with shop manager privileges to inject malicious PHP objects into the application. The vulnerability is reachable over the network and requires no victim interaction, but does require a high-privilege account to exploit. Successful exploitation gives the attacker full read, write, and availability control over the affected WordPress installation. A patched-image rebuild at version 5.9.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-39472 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including Patchstack advisories) within minutes of publication and matched against customer images, including custom-built WordPress images containing this plugin. Any image carrying a version of WooCommerce PDF Invoices and Packing Slips below 5.9.0 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.2 HIGH using the CVSS v3.1 vector and weights it against each customer environment's compliance policy, surfacing findings in the appropriate team inbox. Per-environment policy configuration controls whether the issue is routed to a security team queue, a development team queue, or both.

Available

Patch

A patched-image rebuild at version 5.9.0 is available on HarborGuard for any environment running an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
A shop manager account (or higher) is required; low-privilege subscriber-level accounts are not sufficient to trigger the injection.
Victim interactionNot required
No action from another user or administrator is needed to complete the attack.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental dependencies required.

Blast Radius

Reads any data accessible to the WordPress application, including stored order records, customer personally identifiable information, and payment-related metadata.
Writes or modifies persisted database rows, including orders, user records, and plugin configuration.
Can invoke arbitrary PHP object chains (POP gadgets) present in the application, potentially leading to remote code execution on the host server.
Crashes or degrades the WordPress service if a destructive object chain is triggered during exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is active the moment the advisory is ingested, matching any customer image that bundles WooCommerce PDF Invoices and Packing Slips below 5.9.0. Where compliance policy permits, auto-remediation customers receive a rebuilt image at version 5.9.0, a regression test run against that image, and a pull request opened against affected workloads. For HIGH-severity issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Customers who manage remediation manually can use the HarborGuard finding detail page to confirm which images are affected and review the fix version before applying changes. Because this vulnerability requires a shop manager credential, restricting account provisioning and enforcing strong credential policies serve as compensating controls while a rebuild is in progress.

See how HarborGuard automates this

Fix available

5.9.0

Affected packages

WP Overnight / WooCommerce PDF Invoices & Packing Slips
< 5.9.0 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available