CVE-2025-24373

Name of the Vulnerable Software and Affected Versions woocommerce-pdf-invoices-packing-slips versions prior to 4.0.0

Description This issue allows unauthorized users to access any PDF document from a store if they have access to a guest document link and replace the URL variable my-account with bulk. The problem occurs when the store's document access is set to "guest" and the user is logged out, compromising the confidentiality of sensitive documents. All stores using the plugin with the guest access option enabled are affected.

Recommendations For versions prior to 4.0.0, upgrade to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the guest access option to minimize the risk of exploitation. Restrict access to sensitive documents until the issue is resolved.