How is CVE-2026-52704 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location. Authentication (not-required): No account or session credential of any kind is needed; the injection endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attacker does not need to trick any user into performing an action; exploitation is fully server-side. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layouts.

What is the impact of CVE-2026-52704?

The attacker can execute arbitrary server-side code with the privileges of the web server process, effectively taking full control of the host. All files readable by the web server, including WordPress configuration files containing database credentials and secret keys, are exposed. The attacker can write, overwrite, or delete any file accessible to the web server process, including theme files, plugin files, and uploaded customer documents. The web server process can be crashed or the underlying service disrupted, taking the WordPress storefront and all WooCommerce operations offline.

Back to search

CRITICALCVE-2026-52704Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-52704: WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-52704?

This is a code injection (remote code execution) vulnerability in the WooCommerce PDF Invoice Builder WordPress plugin, affecting all versions through 2.0.8. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from the public internet. Successful exploitation gives an attacker full control over the host server, including the ability to read, modify, or destroy all data and crash the service. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

Q: Is CVE-2026-52704 patched?

No upstream fix has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Edgar Rojas or the WordPress plugin repository ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a code injection (remote code execution) vulnerability in the WooCommerce PDF Invoice Builder WordPress plugin, affecting all versions through 2.0.8. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from the public internet. Successful exploitation gives an attacker full control over the host server, including the ability to read, modify, or destroy all data and crash the service. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress and WooCommerce images. Any image shipping WooCommerce PDF Invoice Builder at version 2.0.8 or earlier is flagged automatically during pipeline scans and registry sweeps.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and surfaces it at the highest severity tier in each customer's dashboard. Per-environment compliance policy weighting is applied so that the finding is routed to the appropriate team inbox, respecting each organization's internal ownership rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Edgar Rojas or the WordPress plugin repository ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location.
AuthenticationNot required
No account or session credential of any kind is needed; the injection endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attacker does not need to trick any user into performing an action; exploitation is fully server-side.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layouts.

Blast Radius

The attacker can execute arbitrary server-side code with the privileges of the web server process, effectively taking full control of the host.
All files readable by the web server, including WordPress configuration files containing database credentials and secret keys, are exposed.
The attacker can write, overwrite, or delete any file accessible to the web server process, including theme files, plugin files, and uploaded customer documents.
The web server process can be crashed or the underlying service disrupted, taking the WordPress storefront and all WooCommerce operations offline.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked at Critical severity (CVSS 10.0) and matched against all images containing WooCommerce PDF Invoice Builder through 2.0.8. Because no upstream fix exists, the immediate recommendation is to apply compensating controls: use network policy to restrict public access to the affected plugin endpoints where possible, apply web application firewall rules to block code-injection payloads targeting the vulnerable parameter, and consider feature-flag gating or disabling the plugin entirely until a patch is available. HarborGuard monitors the Patchstack advisory and the WordPress plugin repository on every ingest cycle. The moment a remediated version is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, the rebuild and regression test run start automatically and a PR is opened against affected workloads.

See how HarborGuard automates this

Affected packages

Edgar Rojas / WooCommerce PDF Invoice Builder
≤ 2.0.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified