CVE-2026-1906 is a vulnerability classified under CWE-862 (Missing Authorization) found in the PDF Invoices & Packing Slips for WooCommerce plugin for WordPress, affecting all versions up to and including 5.6.0. The flaw exists in the AJAX action 'wpo_ips_edi_save_order_customer_peppol_identifiers', which lacks proper capability checks and validation of order ownership. This allows any authenticated user with at least Subscriber-level privileges to specify an arbitrary 'order_id' parameter and modify Peppol/EDI endpoint identifiers such as 'peppol_endpoint_id' and 'peppol_endpoint_eas' for orders they do not own. Peppol is a widely used e-invoicing network in Europe, and these identifiers are critical for correct order routing and invoicing. By altering these identifiers, an attacker can redirect invoices or disrupt the invoicing process, potentially causing payment delays or failures. Additionally, this may lead to leakage of sensitive order routing information. The vulnerability does not require user interaction but does require authentication, making it exploitable by any logged-in user, including low-privilege roles. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but notable integrity concerns. No patches were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability highlights the importance of enforcing strict authorization and ownership validation in AJAX handlers that modify sensitive data in e-commerce plugins.

For European organizations, especially those using WooCommerce with the PDF Invoices & Packing Slips plugin and Peppol e-invoicing, this vulnerability can disrupt critical business processes. Manipulation of Peppol endpoint identifiers can cause invoices to be misrouted or rejected on the Peppol network, leading to payment delays or failures that affect cash flow and supplier relationships. Data leakage risks arise from unauthorized modification of order-related identifiers, potentially exposing sensitive business information. Given Peppol's widespread adoption in Europe for compliant e-invoicing, organizations in countries with strong e-invoicing mandates (e.g., Germany, France, Netherlands, Italy, Spain, and the Nordics) are at higher risk. Attackers with minimal privileges can exploit this flaw, increasing the threat surface. While the vulnerability does not directly impact system availability or confidentiality, the integrity compromise can have significant operational and financial consequences. Additionally, regulatory compliance risks may arise if invoicing data integrity is compromised.

Organizations should immediately audit their WooCommerce installations to identify the use of the vulnerable PDF Invoices & Packing Slips plugin versions (up to 5.6.0). Until an official patch is released, administrators should restrict Subscriber-level and other low-privilege user capabilities to prevent unauthorized access to the AJAX action 'wpo_ips_edi_save_order_customer_peppol_identifiers'. This can be done by customizing WordPress capability settings or using security plugins to block or monitor suspicious AJAX requests targeting this endpoint. Implementing web application firewall (WAF) rules to detect and block anomalous requests with arbitrary 'order_id' parameters can reduce exploitation risk. Monitoring logs for unusual modifications to Peppol endpoint identifiers is advised. Once a patch is available, prompt application is critical. Additionally, organizations should review and harden their WooCommerce and WordPress security posture by enforcing least privilege principles, validating user inputs rigorously, and conducting regular security assessments focused on e-commerce plugins handling sensitive data.