CVE-2026-52704 | Improper Control of Generation of Code ('Code Injection') vu… | CVSS 10.0 CRITICAL

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

Metadata

CVE ID: CVE-2026-52704
State: PUBLISHED
Assigner: Patchstack
Reserved: 2026-06-08 10:11 UTC
Published: 2026-06-15 12:49 UTC
Last updated: 2026-06-15 15:54 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: Edgar Rojas / WooCommerce PDF Invoice Builder
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Edgar Rojas	WooCommerce PDF Invoice Builder	—	n/a ≤ 2.0.8

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://patchstack.com/database/wordpress/plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-2-0-8-remote-code-execution-rce-vulnerability?_s_id=cve