{"api_version":"1","generated_at":"2026-04-23T15:19:57+00:00","cve":"CVE-2024-1773","urls":{"html":"https://cve.report/CVE-2024-1773","api":"https://cve.report/api/cve/CVE-2024-1773.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-1773","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-1773"},"summary":{"title":"PDF Invoices and Packing Slips For WooCommerce <= 1.3.7 - Authenticated (Subscriber+) PHP Object Injection","description":"The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-03-07 19:15:11","updated_at":"2026-04-08 18:20:48"},"problem_types":["CWE-502","CWE-74","CWE-502 CWE-502 Deserialization of Untrusted Data"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/4dc6e879-4ccf-485e-b02d-2b291e67df40?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/4dc6e879-4ccf-485e-b02d-2b291e67df40?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/pdf-invoices-and-packing-slips-for-woocommerce/trunk/includes/class-apifw-front-end.php#L94","name":"https://plugins.trac.wordpress.org/browser/pdf-invoices-and-packing-slips-for-woocommerce/trunk/includes/class-apifw-front-end.php#L94","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3042740/","name":"https://plugins.trac.wordpress.org/changeset/3042740/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-1773","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1773","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"acowebs","product":"PDF Invoices and Packing Slips For WooCommerce","version":"affected 1.3.7 semver","platforms":[]},{"source":"ADP","vendor":"acowebs","product":"pdf_invoices_and_packing_slips","version":"affected 1.3.7 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-03-06T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Peter Thaleikis","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"1773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"acowebs","cpe5":"pdf_invoices_and_packing_slips_for_woocommerce","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"free","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-01T18:48:22.014Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/4dc6e879-4ccf-485e-b02d-2b291e67df40?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/pdf-invoices-and-packing-slips-for-woocommerce/trunk/includes/class-apifw-front-end.php#L94"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/3042740/"}],"title":"CVE Program Container"},{"affected":[{"cpes":["cpe:2.3:a:acowebs:pdf_invoices_and_packing_slips:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"pdf_invoices_and_packing_slips","vendor":"acowebs","versions":[{"lessThanOrEqual":"1.3.7","status":"affected","version":"0","versionType":"custom"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-1773","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-03-08T15:14:57.465165Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-08-05T16:28:12.873Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"PDF Invoices and Packing Slips For WooCommerce","vendor":"acowebs","versions":[{"lessThanOrEqual":"1.3.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Peter Thaleikis"}],"descriptions":[{"lang":"en","value":"The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}],"metrics":[{"cvssV3_1":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"CWE-502 Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:51:34.049Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/4dc6e879-4ccf-485e-b02d-2b291e67df40?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/pdf-invoices-and-packing-slips-for-woocommerce/trunk/includes/class-apifw-front-end.php#L94"},{"url":"https://plugins.trac.wordpress.org/changeset/3042740/"}],"timeline":[{"lang":"en","time":"2024-03-06T00:00:00.000Z","value":"Disclosed"}],"title":"PDF Invoices and Packing Slips For WooCommerce <= 1.3.7 - Authenticated (Subscriber+) PHP Object Injection"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-1773","datePublished":"2024-03-07T18:49:17.589Z","dateReserved":"2024-02-22T18:23:24.614Z","dateUpdated":"2026-04-08T16:51:34.049Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-03-07 19:15:11","lastModifiedDate":"2026-04-08 18:20:48","problem_types":["CWE-502","CWE-74","CWE-502 CWE-502 Deserialization of Untrusted Data"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:acowebs:pdf_invoices_and_packing_slips_for_woocommerce:*:*:*:*:free:wordpress:*:*","versionEndExcluding":"1.3.8","matchCriteriaId":"6EDE7F8C-E849-4058-BE61-FBEEFA4F0316"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"1773","Ordinal":"1","Title":"PDF Invoices and Packing Slips For WooCommerce <= 1.3.7 - Authen","CVE":"CVE-2024-1773","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"1773","Ordinal":"1","NoteData":"The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","Type":"Description","Title":"PDF Invoices and Packing Slips For WooCommerce <= 1.3.7 - Authen"}]}}}