CVE-2025-67589 identifies a missing authorization vulnerability within the WP Overnight WooCommerce PDF Invoices & Packing Slips plugin, affecting all versions up to and including 4.9.1. The vulnerability stems from improperly configured access control mechanisms that fail to adequately restrict user permissions when accessing or generating PDF invoices and packing slips. These documents often contain sensitive customer and order information, including billing and shipping addresses, order details, and potentially payment information. An attacker exploiting this vulnerability could bypass authorization checks, gaining unauthorized access to these documents or manipulating them. This could lead to data leakage, privacy violations, or fraudulent order manipulation. The plugin is widely used in WooCommerce-based e-commerce platforms to automate invoice and packing slip generation, making the vulnerability impactful for many online retailers. No public exploits have been reported yet, but the flaw's nature suggests that exploitation could be straightforward, especially if the attacker has some level of access to the WooCommerce environment. The vulnerability was published on December 9, 2025, but no CVSS score has been assigned. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for immediate attention from administrators. The vulnerability is classified under missing authorization, a critical security flaw that undermines the integrity of access controls and can compromise confidentiality and integrity of sensitive business data.

For European organizations, especially those operating e-commerce platforms using WooCommerce and the affected plugin, this vulnerability poses a significant risk to customer data confidentiality and business integrity. Unauthorized access to invoices and packing slips could expose personally identifiable information (PII) of customers, including names, addresses, and order details, potentially violating GDPR and other privacy regulations. This exposure can lead to reputational damage, regulatory fines, and loss of customer trust. Additionally, manipulation of invoice or packing slip data could facilitate fraud, such as altering order quantities or shipping information, impacting supply chain and financial processes. The disruption could also affect availability if attackers exploit the vulnerability to interfere with order processing workflows. Given the widespread use of WooCommerce in Europe’s e-commerce sector, the vulnerability could have broad implications, particularly for mid to large-sized retailers with extensive customer bases. The absence of known exploits in the wild provides a window for proactive mitigation, but the risk remains high due to the ease of bypassing authorization controls.

1. Immediately audit and restrict access permissions to the WooCommerce PDF Invoices & Packing Slips plugin, ensuring only trusted administrative users can generate or view invoices and packing slips. 2. Monitor web server and application logs for unusual access patterns or unauthorized attempts to retrieve invoice or packing slip documents. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints. 4. Regularly check the WP Overnight plugin repository and security advisories for patches addressing CVE-2025-67589 and apply updates promptly once available. 5. If patching is delayed, consider temporarily disabling the plugin or replacing it with alternative solutions that have verified secure access controls. 6. Conduct internal security reviews of WooCommerce plugins to identify and remediate similar access control weaknesses. 7. Educate staff managing the e-commerce platform about the risks and signs of exploitation related to this vulnerability. 8. Ensure backups of order and invoice data are maintained securely to enable recovery in case of data tampering. These steps go beyond generic advice by focusing on access control hardening, monitoring, and contingency planning specific to the affected plugin and its role in e-commerce operations.