CVE-2026-1906 is a missing authorization vulnerability in the PDF Invoices & Packing Slips for WooCommerce plugin for WordPress, affecting all versions up to 5.6.0. The issue arises from the lack of capability checks and order ownership validation in the AJAX action `wpo_ips_edi_save_order_customer_peppol_identifiers`. This allows authenticated users with low privileges (Subscriber and above) to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for arbitrary orders by manipulating the `order_id` parameter. This vulnerability can impact the integrity of order routing on the Peppol network, potentially causing payment disruptions and unauthorized data exposure. The CVSS score is 4.3, indicating medium severity. There is no patch or official remediation guidance currently available.

An attacker with Subscriber-level or higher access can alter Peppol/EDI endpoint identifiers for any customer's order, which may lead to incorrect order routing within the Peppol network. This can cause payment processing issues and potential leakage of sensitive order-related data. The vulnerability does not directly impact confidentiality but affects data integrity and availability related to order processing.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions to trusted users only and monitor for suspicious activity related to order modifications. Avoid granting Subscriber-level or higher access to untrusted users. Review and implement custom capability checks if possible to mitigate unauthorized access to the affected AJAX action.