How is CVE-2026-49056 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker only needs HTTP/HTTPS access to the WordPress site to reach it. Authentication (not-required): No account or session credential of any kind is needed; the attacker can trigger the exposure as a completely anonymous visitor. Victim interaction (not-required): No user action is required on the target site; the attacker sends requests directly without involving any authenticated user. Attack complexity (info): Exploitation is straightforward and condition-free, requiring no race conditions, special configurations, or environmental factors to succeed reliably.

What is the impact of CVE-2026-49056?

Reads order-related documents including PDF invoices, packing slips, delivery notes, and shipping labels generated by the plugin. Exposes customer personally identifiable information (PII) such as billing names, addresses, and order details embedded in those documents. Allows an unauthenticated attacker to enumerate or harvest business-sensitive shipping and fulfillment data without leaving obvious authentication traces.

Back to search

HIGHCVE-2026-49056Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49056: WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin <= 4.9.4 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-49056?

This is an unauthenticated sensitive data exposure vulnerability in the WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin by WebToffee, affecting version 4.9.4 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker direct read access to sensitive data handled by the plugin, such as order details, customer information, and shipping records. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-49056 patched?

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WebToffee ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated sensitive data exposure vulnerability in the WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin by WebToffee, affecting version 4.9.4 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker direct read access to sensitive data handled by the plugin, such as order details, customer information, and shipping records. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress and WooCommerce images. Any image carrying the affected plugin version at 4.9.4 or below is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH based on the published CVSS v3.1 vector and weights it further against each environment's compliance policy to determine routing priority. Findings are surfaced to the appropriate team inbox within each customer organization based on their configured alert rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WebToffee ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker only needs HTTP/HTTPS access to the WordPress site to reach it.
AuthenticationNot required
No account or session credential of any kind is needed; the attacker can trigger the exposure as a completely anonymous visitor.
Victim interactionNot required
No user action is required on the target site; the attacker sends requests directly without involving any authenticated user.
Attack complexityDetail
Exploitation is straightforward and condition-free, requiring no race conditions, special configurations, or environmental factors to succeed reliably.

Blast Radius

Reads order-related documents including PDF invoices, packing slips, delivery notes, and shipping labels generated by the plugin.
Exposes customer personally identifiable information (PII) such as billing names, addresses, and order details embedded in those documents.
Allows an unauthenticated attacker to enumerate or harvest business-sensitive shipping and fulfillment data without leaving obvious authentication traces.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer images carrying the WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin at version 4.9.4 or below. Because no upstream patch exists today, HarborGuard re-checks the Patchstack advisory on every ingest cycle. When WebToffee publishes a fix, a patched-image rebuild will become available immediately; for customers with auto-remediation enabled, this triggers a rebuild, a regression test run, and a PR opened against affected workloads without manual steps. In the meantime, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to the document-serving routes, egress filtering to limit what the WordPress container can reach, and temporarily disabling the PDF generation feature flag if the plugin supports it. The CVSS score of 7.5 HIGH reflects full confidentiality impact with zero authentication barrier, so prompt isolation is advisable for any internet-facing deployment.

See how HarborGuard automates this

Affected packages

WebToffee / WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
≤ 4.9.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified