Cyber Resilience

CVE-2025-13773

CriticalRCE

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0256 83.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13773 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to remote code execution in all versions through 5.8.0. The flaw resides in the WooCommerce_Delivery_Notes::update function and results from a missing capability check, PHP execution enabled within the bundled Dompdf library, and absent output escaping in the template.php file. It is tracked as CVE-2025-13773 and carries a CVSS 3.1 base score of 9.8 along with CWE-94.

Unauthenticated attackers can reach the vulnerable endpoint over the network without authentication or user interaction. Successful exploitation allows arbitrary PHP code execution on the underlying server, granting complete control over confidentiality, integrity, and availability of the affected WordPress installation.

The EPSS score remains flat at 0.0874 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function,…

more

PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated remote code execution in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2025-26970Shared CWE-94
CVE-2025-67489Shared CWE-94
CVE-2025-69983Shared CWE-94
CVE-2026-27984Shared CWE-94
CVE-2026-6169Shared CWE-94
CVE-2025-1119Shared CWE-94
CVE-2026-29014Shared CWE-94
CVE-2025-61196Shared CWE-94
CVE-2026-37712Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to block unauthenticated access to the vulnerable WooCommerce_Delivery_Notes::update function.

prevent

Validates and sanitizes inputs to prevent code injection through the unescaped data in template.php.

prevent

Mandates secure configuration settings to disable PHP execution in Dompdf, eliminating the code execution vector.

References