The vulnerability identified as CVE-2024-13640 affects the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress, specifically versions up to and including 5.4.1. This plugin is widely used to generate and manage invoices and delivery notes for WooCommerce-based e-commerce sites. The issue arises from the plugin storing invoice files in the /wp-content/uploads/wcdn/invoice directory without adequate access controls. When the email attachment feature is enabled, these invoice files—which may contain sensitive customer information such as names, addresses, order details, and payment information—are accessible to unauthenticated attackers via direct HTTP requests to the 'wcdn/invoice' path. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.9, reflecting a medium severity level, with an attack vector of network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:H, I:N, A:N). This means an attacker can remotely and anonymously retrieve sensitive data without modifying or disrupting the system. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the exposure of sensitive data poses a significant privacy risk for affected organizations and their customers.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive customer and transactional data, which can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage. Attackers gaining access to invoice data may harvest personally identifiable information (PII), financial details, and order histories, potentially facilitating identity theft, fraud, or targeted phishing attacks. Although the vulnerability does not allow modification or disruption of services, the confidentiality breach alone can have severe consequences for e-commerce businesses and their customers. Organizations relying on this plugin risk exposure of sensitive data to any internet user, increasing the attack surface and potential for data leaks. This can also undermine customer trust and lead to legal liabilities. The lack of authentication and user interaction requirements makes exploitation relatively straightforward for attackers with network access to the affected WordPress sites.

To mitigate this vulnerability, organizations should immediately audit their use of the Print Invoice & Delivery Notes for WooCommerce plugin and verify if the email attachment setting is enabled. If enabled, consider disabling this feature until a patch or update is available. Restrict direct access to the /wp-content/uploads/wcdn/invoice directory by implementing web server access controls such as .htaccess rules for Apache or equivalent configurations for NGINX to block unauthorized HTTP requests. Employ authentication mechanisms or IP whitelisting to limit access to invoice files. Regularly monitor web server logs for suspicious access attempts to the invoice directory. Keep the plugin updated and subscribe to vendor security advisories for forthcoming patches. Additionally, consider encrypting sensitive invoice files at rest and in transit. Conduct a thorough review of WordPress file permissions and ensure that upload directories do not expose sensitive data publicly. Finally, educate site administrators about secure plugin configuration and the risks of exposing sensitive data through misconfiguration.