CVE-2024-13640 is a medium-severity vulnerability affecting the 'Print Invoice & Delivery Notes for WooCommerce' WordPress plugin developed by tychesoftwares. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The issue affects all versions up to and including 5.4.1 of the plugin. The root cause lies in the insecure storage and access control of invoice files within the '/wp-content/uploads/wcdn/invoice' directory. When the plugin's email attachment setting is enabled, invoice files containing sensitive customer and transaction data are saved in this directory without proper access restrictions. This misconfiguration allows unauthenticated attackers to directly access and download these invoice files by navigating to the 'wcdn/invoice' directory on the affected WordPress site. The vulnerability does not require any authentication or user interaction, but the attack complexity is rated high due to the need to identify vulnerable sites and the specific directory structure. The CVSS 3.1 base score is 5.9, reflecting a medium severity level, with a vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. This vulnerability primarily risks the confidentiality of sensitive customer data, including personal and financial information contained in invoices, which could be leveraged for identity theft, fraud, or further targeted attacks.

For European organizations using WooCommerce with the affected plugin, this vulnerability poses a significant risk to customer privacy and data protection compliance, particularly under the GDPR framework. Exposure of invoice data can lead to unauthorized disclosure of personally identifiable information (PII), including names, addresses, purchase details, and potentially payment information. Such data breaches can result in regulatory penalties, reputational damage, and loss of customer trust. Additionally, exposed data could be used by threat actors for phishing campaigns or social engineering attacks targeting European customers or employees. The impact is heightened for e-commerce businesses with large customer bases or those handling sensitive transactions. Since the vulnerability allows unauthenticated access, attackers can exploit it remotely without needing credentials, increasing the risk of widespread data leakage. However, the attack complexity being high somewhat limits mass exploitation but does not eliminate targeted attacks against high-value organizations.

European organizations should immediately audit their WordPress installations to identify if the 'Print Invoice & Delivery Notes for WooCommerce' plugin is installed and determine the version in use. Until an official patch is released, organizations should consider disabling the plugin or the email attachment feature that stores invoices in the vulnerable directory. Restricting access to the '/wp-content/uploads/wcdn/invoice' directory via web server configuration (e.g., using .htaccess rules for Apache or equivalent for Nginx) to deny public access is a critical temporary mitigation. Implementing authentication or IP-based restrictions on this directory can also reduce exposure. Monitoring web server logs for suspicious access attempts to the 'wcdn/invoice' path can help detect exploitation attempts. Organizations should also review and enhance their data retention policies to minimize sensitive data storage duration. Once a patch is available, prompt application of updates is essential. Additionally, informing customers about potential data exposure and preparing incident response plans aligned with GDPR breach notification requirements is advisable.