CVE-2023-0479

Name of the Vulnerable Software and Affected Versions The Print Invoice & Delivery Notes for WooCommerce WordPress plugin versions prior to 4.7.2

Description The issue is caused by a reflected XSS vulnerability, which occurs when a GET value is echoed in an admin note within the WooCommerce orders page. This can be exploited by users with the edit others shop orders capability, given that WooCommerce must be installed and active. The vulnerability is a result of a urldecode() function being used after cleanup with esc url raw(), allowing double encoding.

Recommendations For versions prior to 4.7.2, update to version 4.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the WooCommerce orders page for users with the edit others shop orders capability until the update is applied.