CVE-2025-67589 identifies a missing authorization vulnerability in the WP Overnight WooCommerce PDF Invoices & Packing Slips plugin, affecting versions up to and including 4.9.1. The vulnerability arises from incorrectly configured access control mechanisms, allowing authenticated users with limited privileges (PR:L) to bypass authorization checks and access invoice and packing slip data they should not be permitted to view or manipulate. The vulnerability is remotely exploitable over the network (AV:N) without requiring user interaction (UI:N). The CVSS 3.1 base score is 4.3 (medium), reflecting a low confidentiality impact and no impact on integrity or availability. This suggests that while unauthorized data disclosure is possible, it does not allow modification or disruption of services. The plugin is widely used in WooCommerce-based e-commerce sites to generate and manage PDF invoices and packing slips, which contain sensitive customer and order information. The lack of proper authorization checks could expose sensitive business and customer data to unauthorized internal users or attackers who have gained limited access. No known exploits are currently reported in the wild, and no official patches have been linked, indicating that organizations must proactively monitor for updates and consider interim controls. The vulnerability was published on December 9, 2025, by Patchstack, with no CWE assigned yet. Given the nature of the flaw, it is primarily a privilege escalation or access control bypass issue within the plugin's functionality.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive customer and order information contained in PDF invoices and packing slips generated by WooCommerce stores using the affected plugin. This could lead to privacy violations under GDPR if personal data is exposed without consent. Although the vulnerability does not allow data modification or service disruption, unauthorized access to financial documents could facilitate fraud, social engineering, or competitive intelligence gathering. E-commerce businesses relying on WooCommerce in Europe, especially those handling large volumes of transactions, are at risk of reputational damage and regulatory penalties if exploited. The medium severity rating reflects that the impact is limited to confidentiality and requires some level of authenticated access, reducing the likelihood of widespread exploitation. However, insider threats or compromised low-privilege accounts could leverage this flaw to escalate access. The absence of known exploits provides a window for mitigation, but organizations should act promptly to avoid exposure.

European organizations should immediately audit their WooCommerce installations to identify if the WP Overnight PDF Invoices & Packing Slips plugin is in use and confirm the version. Until an official patch is released, restrict access to the plugin’s invoice and packing slip functionalities to only trusted and necessary user roles, minimizing the number of users with any level of privilege that could exploit this flaw. Implement strict role-based access controls (RBAC) and review user permissions regularly. Monitor access logs for unusual or unauthorized attempts to access invoice or packing slip data. Consider disabling the plugin temporarily if feasible or replacing it with alternative solutions that have verified secure access controls. Stay informed through vendor advisories and Patchstack updates to apply patches promptly once available. Additionally, conduct internal security awareness training to reduce the risk of credential compromise that could facilitate exploitation. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints. Finally, ensure that all WooCommerce and WordPress core components are kept up to date to reduce the attack surface.