What is CVE-2025-13773?

CVE-2025-13773 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-13773?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-13773.

How can I protect against CVE-2025-13773?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-13773.

REPORT / 01

Analysis Report · Folder Analysis cache/woocommerce-delivery-notes_5.8.0 → cache/woocommerce-delivery-notes_5.9.0 — CVE-2025-13773

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-13773 NVD

AI-Generated Analysis

## 1. Vulnerability Background

- What is this vulnerability?
  - CVE-2025-13773 is an unauthenticated remote code execution (RCE) vulnerability in the Print Invoice & Delivery Notes for WooCommerce WordPress plugin.
  - The root cause is a combination of insecure PDF generation configuration and missing access control / escaping in the plugin.
  - Specifically, Dompdf was configured with `isPhpEnabled = true`, allowing embedded PHP code inside the generated HTML to execute on the server.

- Why is it critical/important?
  - RCE is one of the highest-impact vulnerabilities for web applications.
  - An attacker can execute arbitrary PHP code with the privileges of the web server process.
  - This can lead to full site compromise, data exfiltration, credential theft, pivoting to other infrastructure, and persistent backdoors.

- What systems/versions are affected?
  - All versions of Print Invoice & Delivery Notes for WooCommerce up to and including 5.8.0.
  - The issue is present wherever the plugin uses Dompdf for PDF rendering and retains the insecure configuration.

## 2. Technical Details

- Root cause analysis
  - The core issue is insecure Dompdf configuration in `includes/front/wcdn-front-function.php`.
  - Old code:
    - `options->set( 'isPhpEnabled', true );`
  - With this option set, Dompdf evaluates PHP code found in HTML content during PDF generation.
  - This is unsafe when any of the rendered content may be influenced by user input.
  - The CVE description also identifies additional weaknesses:
    - missing capability check in `WooCommerce_Delivery_Notes::update`
    - missing output escaping in `template.php`
  - These weaknesses create an exploitable chain: unauthenticated access combined with injection of PHP-capable content into the PDF renderer.

- Attack vector and exploitation conditions
  - An attacker needs:
    - the vulnerable plugin installed,
    - access to a function or field that is included in the HTML sent to Dompdf,
    - the ability to trigger PDF generation or update the delivery note content.
  - The likely chain:
    1. The attacker injects PHP code into a user-controllable field or template variable.
    2. The plugin generates a delivery note/invoice PDF using Dompdf.
    3. Dompdf evaluates the embedded PHP code because `isPhpEnabled` is enabled.
    4. The injected PHP executes on the server.
  - The missing capability check means the attacker may not need to be authenticated to reach the vulnerable update path.

- Security implications
  - Arbitrary code execution on the web server.
  - Potential compromise of the WordPress site and host environment.
  - Ability to execute system commands, install backdoors, modify files, or exfiltrate data.
  - RCE via a plugin used in ecommerce sites is especially dangerous because it may include payment, customer, and order data.

## 3. Patch Analysis

- What code changes were made?
  - In `includes/front/wcdn-front-function.php`, the Dompdf option was changed from:
    - `options->set( 'isPhpEnabled', true );`
  - to:
    - `options->set( 'isPhpEnabled', false );`

- How do these changes fix the vulnerability?
  - Disabling `isPhpEnabled` prevents Dompdf from executing PHP embedded in HTML content.
  - Any injected `<?php ... ?>` payload is no longer evaluated by the PDF renderer.
  - This removes the code execution vector provided by Dompdf, which is the critical exploitation mechanism.

- Security improvements introduced
  - Changes the Dompdf configuration to a secure default.
  - Eliminates a dangerous capability that should never be enabled for untrusted content.
  - Reduces the attack surface of PDF generation in the plugin.
  - Note: while this fix addresses the Dompdf vector, the broader issue also requires proper authorization checks and escaping elsewhere in the plugin.

## 4. Proof of Concept (PoC) Guide

- Prerequisites for exploitation
  - WordPress site running Print Invoice & Delivery Notes for WooCommerce version 5.8.0 or earlier.
  - Plugin uses Dompdf for PDF generation.
  - Attacker can influence content that is rendered in the delivery note or invoice HTML.
  - Vulnerable path accessible without sufficient authorization (as indicated by the missing capability check).

- Step-by-step exploitation approach
  1. Identify a field or template variable included in generated PDF output.
  2. Inject PHP code, e.g.:
     - `<?php system($_GET['cmd']); ?>`
  3. Trigger the plugin’s PDF generation routine for an invoice or delivery note.
  4. Access the generated PDF endpoint with a command parameter, for example:
     - `?cmd=id`
  5. Observe the command output or side effects in the response or server behavior.

- Expected behavior vs exploited behavior
  - Expected behavior:
    - The plugin generates a PDF from HTML content and returns a delivery note or invoice PDF.
    - No server-side PHP execution occurs from user-supplied content.
  - Exploited behavior:
    - The injected PHP payload is executed during PDF generation.
    - Arbitrary commands run on the server as the web server user.

- How to verify the vulnerability exists
  - Confirm plugin version is <= 5.8.0.
  - Inspect `includes/front/wcdn-front-function.php` and verify `isPhpEnabled` is set to `true`.
  - Test whether user-controlled content appears in the rendered PDF HTML.
  - Attempt a non-destructive probe payload and observe whether PHP execution occurs.

## 5. Recommendations

- Mitigation strategies
  - Upgrade the plugin to a patched version where `isPhpEnabled` is disabled.
  - If patching immediately is not possible, disable or remove the affected PDF generation functionality.
  - Restrict access to plugin endpoints with proper capability checks and authentication.

- Detection methods
  - Monitor web logs for requests containing PHP tags (`<?php`) to plugin endpoints.
  - Look for unusual POSTs/GETs targeting delivery note or update routes.
  - Audit plugin files for insecure Dompdf configuration and missing access controls.
  - Use host-based detection for unexpected PHP execution from the plugin process.

- Best practices to prevent similar issues
  - Never enable PHP execution in template or rendering engines for untrusted content.
  - Apply least privilege to all admin/update functions: verify capabilities before performing updates.
  - Escape all output in templates and avoid rendering raw user input.
  - Use secure default settings for third-party libraries.
  - Perform regular code reviews of plugin modules that handle rich content and file generation.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

includes/front/wcdn-front-function.php AI: 1 vulnerabilities 1 true positive CVE-2025-13773

--- cache/woocommerce-delivery-notes_5.8.0/includes/front/wcdn-front-function.php	2025-12-24 00:33:41.321472434 +0000+++ cache/woocommerce-delivery-notes_5.9.0/includes/front/wcdn-front-function.php	2025-12-24 00:35:35.496538362 +0000@@ -34,7 +34,7 @@ 	// Instantiate and use the dompdf class. 	$options = new \Dompdf\Options(); 	$options->set( 'isRemoteEnabled', true );-	$options->set( 'isPhpEnabled', true );+	$options->set( 'isPhpEnabled', false ); 	$dompdf = new Dompdf( $options );  	// Load content from html file.

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Code Injection - CWE-95 - includes/front/wcdn-front-function.php [37]

Old Code:
```php
$options->set( 'isPhpEnabled', true );
```

Fixed Code:
```php
$options->set( 'isPhpEnabled', false );
```

Explanation:
Enabling PHP code execution within Dompdf (`isPhpEnabled` set to `true`) creates a critical code injection vulnerability. When this option is enabled, any PHP code embedded in HTML passed to Dompdf will be executed on the server. This is particularly dangerous in a PDF generation context where user-controlled content (such as order details in WooCommerce delivery notes) might be included. An attacker could inject malicious PHP code that would execute with the privileges of the web server process, potentially leading to remote code execution (RCE). The fix correctly disables PHP execution by setting `isPhpEnabled` to `false`, which prevents arbitrary PHP code from being evaluated during PDF generation. This is the secure default configuration for Dompdf.

CVE Analysis Results:

CVE-2025-13773: Yes

View CVE Description

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

Showing 1 to 1 of 1 results