Max-Severity Takeover Flaw in a WooCommerce Invoice Plugin: CVE-2026-52704, Update to 2.0.9 Now

A popular plugin for generating invoice and packing-slip PDFs on WordPress online stores, "WooCommerce PDF Invoice Builder," has a flaw rated at the maximum severity of 10.0. It is tracked as CVE-2026-52704. With no login and no sign-up required, anyone can run code of their choosing on the shop's server over the internet.

The developer has already released a fixed version, 2.0.9. If your online store uses this plugin, update now rather than later. Patchstack, which tracks WordPress plugin vulnerabilities, disclosed it on June 15, 2026.

What is WooCommerce PDF Invoice Builder

WooCommerce is the standard way to build an online store on WordPress. It is used by small and mid-sized shops worldwide, and it is widely adopted by sole proprietors and small e-commerce sites in Japan too.

WooCommerce PDF Invoice Builder is a plugin you add on top of WooCommerce. When an order comes in, it lets you freely design invoices, packing slips, and receipts as PDFs through a drag-and-drop editor, then email them to customers automatically. The developer is Edgar Rojas (Rednao); the active install count on the official WordPress directory is 2,000+, and the latest version is 2.0.9. Counting the paid edition, the number of live sites is likely higher.

The flip side of that convenience is that features which "auto-generate documents from a template" often assemble strings internally and process them as program code. One mistake in how input is handled, and a string sent in from the outside can run as a command. This vulnerability sat squarely in that generation step.

From a Small Window That Prints Invoices, the Whole Store Walks Out

"Severity 10.0" is a perfect score out of ten; nothing is worse. It reaches the top because the attack needs no login and no special privileges — just one crafted request sent over the network — and because the damage extends to the entire server. From the perspective of someone running an online store, it means anyone in the world can walk in the back door without holding the keys.

The first to jump on this are not thrill-seekers. The ones with clear motives are attack crews that target online stores for money, gangs that plant fake input fields on the checkout page to steal and resell credit card numbers, operators who use a hijacked shop as a springboard to spread fake storefronts and spam, and ransomware groups that encrypt a site and demand "pay up if you want it back". What they come for is not abstract "data" but the buyer's credit card details, the purchase history complete with name, address, and phone number, the administrator password, the sales records, and the server itself. The moment one crafted request slips through this generation step, the shop's server passes wholesale into their hands, and the till and the customer list alike are theirs to carry off.

In security terms, this is "code injection" — getting the app to run commands the attacker supplies. The fact that no login is required (PR:N) is especially nasty: flaws like this are not picked off one site at a time by humans, but found by programs (bots) that crawl the entire web and try every site automatically. So "we're too small to be targeted" simply does not apply. A server once taken over gets resold as a launch pad for the next attack or as a place to host fake sites that deceive other victims, and the damage spreads beyond your own store.

The number "10.0" only marks technical severity. For someone running a shop solo or with a small team, what really hurts is apologizing to and compensating the customers whose data leaked, reporting to the data protection authority, the sales that stopped, the cost of rebuilding the site from scratch, and the reputation that "buying from that shop is risky". What you lose is not "one server" but the customer trust you built up over the years.

CVE-2026-52704: outside commands slip into the generation step

When this plugin assembles an invoice PDF from a template, it dynamically generates program code internally to do the work. According to the NVD description, CVE-2026-52704 means "improper control of code generation, allowing remote code inclusion." It is classified as code being unintentionally generated and executed (CWE-94, code injection).

In other words, if an attacker sends in a request containing their own commands, those get assembled as part of the legitimate code and run directly on the server. By rights, a string arriving from outside should be treated as "just data" and never executed as a command. That partition being broken is the heart of this vulnerability.

The technical scoring (CVSS vector) is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, a perfect 10.0. It looks daunting, but the gist is: over the network (AV:N), under easy conditions (AC:L), with no login (PR:N) and no user interaction (UI:N), it succeeds, crosses beyond the plugin to the whole server (S:C), and the impact on stealing, tampering with, and destroying information is all at the maximum (C:H/I:H/A:H). Almost nothing is required for the attack to land, and that worst-case combination is what produces the perfect score.

Is your shop affected, and what should you do

The affected product is WooCommerce PDF Invoice Builder (PDF Builder for WooCommerce), version 2.0.8 and earlier. Check the plugin's version from the WordPress admin screen. Here is who is affected and what to do, by usage.

The top priority is to update the plugin to 2.0.9 or later. An update notice should be showing on the WordPress "Plugins" screen, so apply it. If you cannot update right away, consider temporarily deactivating or removing the plugin. Given that its job is auto-generating invoice PDFs, you can usually keep selling at the storefront even with it turned off.

It is also worth checking whether you were already breached before updating. Look for administrator accounts you do not recognize, suspicious PHP files placed among your site's files, and unfamiliar access logs. If you cannot tell, the safe path is to restore from a backup and consult a professional early. Keeping WordPress core, themes, and other plugins up to date as well shrinks the damage whenever a flaw like this appears.

"Takeovers" via e-commerce plugins keep happening

Cases where a plugin for online stores becomes the entry point for a takeover are endless. On this site we have covered a server takeover abusing an extension for the Magento commerce platform (CVE-2026-45247), the WordPress flaw that lets an editor run arbitrary code via WPCode (CVE-2026-8832), and the cPanel LiteSpeed plugin case where the whole server was taken over (CVE-2026-48172).

What they share is that it is the "bolt-on extension," not the core, that gets targeted. Even when WordPress and WooCommerce themselves are carefully managed, a single hole in a plugin you added for convenience can bring down the entire server. A plugin is not "install it and you're done" — like the core, it is something to keep updating, and that is the most basic habit for protecting an online store.

Exploitation status, and what to keep an eye on

As of June 15, 2026, there are no reports of CVE-2026-52704 being used in real attacks, and it is not listed in the U.S. government's CISA KEV catalog of actively exploited vulnerabilities. You can track the latest status of exploited flaws in one place on our CISA KEV dashboard (Japanese).

That said, a flaw rated 10.0 and exploitable without a login is extremely attractive to attackers. Indiscriminate scanning often begins once such an issue is published, so "not attacked yet" does not mean "no need to update." With fixed version 2.0.9 already out, getting the update done now is the most reliable defense.

References

• ▸ NVD - CVE-2026-52704 (published June 15, 2026)
• ▸ Patchstack - WooCommerce PDF Invoice Builder Unauthenticated RCE (CVE-2026-52704)
• ▸ WordPress.org - PDF Builder for WooCommerce (plugin page)
• ▸ MITRE - CWE-94: Improper Control of Generation of Code ('Code Injection')
• ▸ CISA - Known Exploited Vulnerabilities Catalog