Summary
A critical Remote Code Execution vulnerability in WooCommerce Delivery Notes <= 5.8.0 allowed attackers to inject PHP code into plugin settings. The malicious code executed when any admin or the backend printed an invoice via DomPDF, installing backdoors and creating unauthorized admin accounts.
This vulnerability was publicly disclosed in December 2025 and is actively being exploited in the wild.
Attack Chain
- Attacker injected obfuscated PHP into
wcdn_invoice_customizationoption via unsanitized settings endpoint - Admin triggered execution by printing any invoice (DomPDF rendered malicious payload with
isPhpEnabled = true) - Backdoor
wpclean.phpcreated, followed bywp-sphandwp-downloaderplugins - Unauthorized admin user created for persistent access
Affected Versions
- Vulnerable: WooCommerce Delivery Notes <= 5.8.0
- Patched: Version 5.9.0 (changelog)
Remediation
Immediate Actions
-- Remove malicious settings
DELETE FROM wp_options WHERE option_name = 'wcdn_invoice_customization';
-- Find obfuscated payloads (chr() encoding commonly used)
SELECT option_name FROM wp_options WHERE option_value LIKE '%chr(%';
- Update plugin to
>= 5.9.0immediately - Delete backdoor files:
wpclean.php,wp-sph/,wp-downloader/ - Audit wp_users for unauthorized administrators
- Change all user passwords
Indicators of Compromise
- PHP files in uploads or
wp-content/pluginsdirectory - Unknown admin users (e.g.,
woobot) wp_optionsentries containingchr(sequences- Access logs showing requests to
wpclean(with status code200) and/orwp-sph
References
- Wordfence Vulnerability Database
- WordPress Plugin Repository
- DomPDF PHP Execution Security Considerations
Severity: Critical (CVSS 9.8) | Status: Actively Exploited | Fix: Update to v5.9.0+
