CVE-2025-13773 is a critical remote code execution (RCE) vulnerability found in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress, affecting all versions up to and including 5.8.0. The vulnerability stems from a combination of insecure coding practices: the 'WooCommerce_Delivery_Notes::update' function lacks proper capability checks, allowing unauthorized access; PHP execution is enabled within the Dompdf library used by the plugin, which can be leveraged to execute arbitrary PHP code; and the 'template.php' file fails to properly escape user input, facilitating code injection. These factors collectively enable unauthenticated attackers to execute arbitrary code on the web server hosting the vulnerable plugin. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the plugin improperly handles code generation or execution. The CVSS v3.1 base score is 9.8, reflecting a critical severity with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical impact make this a high-priority threat. The vulnerability affects a widely used e-commerce plugin integrated into WordPress sites, which are prevalent globally, including Europe. Attackers exploiting this flaw could gain full control over the affected server, potentially leading to data theft, site defacement, malware deployment, or pivoting to internal networks.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the vulnerable Print Invoice & Delivery Notes plugin, this vulnerability presents a severe risk. Successful exploitation can lead to complete server compromise, resulting in loss of customer data confidentiality, unauthorized modification or deletion of data, and disruption of business operations. The ability for unauthenticated attackers to execute arbitrary code increases the likelihood of widespread exploitation, potentially leading to ransomware deployment, data breaches, or use of compromised servers in botnets. Given the critical nature of e-commerce in Europe and the reliance on WordPress-based solutions, the impact could extend to reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. The vulnerability also threatens the integrity of invoicing and delivery note processes, which are essential for compliance and operational workflows in European businesses.

1. Immediate action should be to update the Print Invoice & Delivery Notes for WooCommerce plugin to a patched version once available. If no patch is currently released, disable or uninstall the plugin to prevent exploitation. 2. Implement strict access controls on WordPress admin endpoints and restrict update functions to authenticated and authorized users only. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability, focusing on requests targeting the vulnerable update function. 4. Conduct thorough code reviews and security audits of custom or third-party plugins to identify similar insecure coding patterns, especially around code generation and execution. 5. Monitor server logs and WordPress activity logs for unusual or unauthorized access attempts, particularly targeting the plugin’s update functionality. 6. Harden PHP configurations by disabling execution in directories used by Dompdf or other libraries where not necessary. 7. Educate development and operations teams about secure coding practices related to input validation, escaping, and capability checks to prevent CWE-94 type vulnerabilities in the future.