CVE-2025-13773 is a critical remote code execution (RCE) vulnerability identified in the Print Invoice & Delivery Notes for WooCommerce plugin for WordPress, affecting all versions up to and including 5.8.0. The vulnerability stems from multiple security oversights: the 'WooCommerce_Delivery_Notes::update' function lacks proper capability checks, allowing unauthorized access; PHP execution is enabled within the Dompdf library used by the plugin, which can be abused to execute arbitrary PHP code; and the 'template.php' file fails to properly escape user input, facilitating code injection. These combined issues enable unauthenticated attackers to remotely execute arbitrary code on the underlying server hosting the WordPress site. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the plugin improperly handles dynamic code generation, leading to injection risks. The CVSS v3.1 base score is 9.8, reflecting the vulnerability's critical nature with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized rapidly. The plugin is widely used by WooCommerce-based e-commerce sites to generate invoices and delivery notes, making this vulnerability a significant threat to online retailers relying on this plugin for order documentation.

The impact of CVE-2025-13773 is severe and multifaceted. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in data theft, including customer and payment information, defacement or destruction of website content, installation of backdoors or malware, and disruption of e-commerce operations. The integrity of order processing and invoicing can be undermined, damaging business reputation and customer trust. Additionally, attackers could leverage the compromised server as a pivot point for lateral movement within corporate networks or to launch further attacks. Given the plugin's integration with WooCommerce, a popular e-commerce platform, the scope of affected systems is substantial, increasing the potential scale of damage globally. The lack of authentication requirements and the network-accessible attack vector further exacerbate the risk, making exploitation feasible even by remote attackers without credentials.

To mitigate CVE-2025-13773, organizations should immediately update the Print Invoice & Delivery Notes for WooCommerce plugin to a patched version once released by the vendor. Until a patch is available, administrators should disable or remove the plugin to eliminate the attack surface. Implement strict web application firewall (WAF) rules to detect and block suspicious requests targeting the vulnerable update function or attempts to inject code via Dompdf. Restrict access to the WordPress admin and plugin endpoints using IP whitelisting or VPNs to reduce exposure. Review and harden PHP configurations to disable execution in directories used by Dompdf or the plugin templates. Conduct thorough code audits and penetration testing focused on plugin components handling dynamic code generation and user input. Monitor server logs for unusual activity indicative of exploitation attempts. Additionally, enforce the principle of least privilege for WordPress roles and capabilities to limit potential damage from compromised accounts. Backup critical data regularly and ensure incident response plans are in place to respond swiftly to any compromise.