CVE-2025-13773
Published: 24 December 2025
Summary
CVE-2025-13773 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to remote code execution in all versions through 5.8.0. The flaw resides in the WooCommerce_Delivery_Notes::update function and results from a missing capability check, PHP execution enabled within the bundled Dompdf library, and absent output escaping in the template.php file. It is tracked as CVE-2025-13773 and carries a CVSS 3.1 base score of 9.8 along with CWE-94.
Unauthenticated attackers can reach the vulnerable endpoint over the network without authentication or user interaction. Successful exploitation allows arbitrary PHP code execution on the underlying server, granting complete control over confidentiality, integrity, and availability of the affected WordPress installation.
The EPSS score remains flat at 0.0874 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205036
Vulnerability details
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function,…
more
PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote code execution in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to block unauthenticated access to the vulnerable WooCommerce_Delivery_Notes::update function.
Validates and sanitizes inputs to prevent code injection through the unescaped data in template.php.
Mandates secure configuration settings to disable PHP execution in Dompdf, eliminating the code execution vector.