CVE-2024-13640: 
WordPress vulnerability analysis and mitigation

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress (CVE-2024-13640) contains a Sensitive Information Exposure vulnerability affecting all versions up to and including 5.4.1. The vulnerability was disclosed on March 8, 2025, and is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability exists in the 'wcdn/invoice' directory implementation. The CVSS v3.1 score is 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network accessible, requires high attack complexity, needs no privileges or user interaction, has unchanged scope, and can result in high confidentiality impact without affecting integrity or availability (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive data stored in the /wp-content/uploads/wcdn/invoice directory. This directory may contain invoice files if the email attachment setting is enabled, potentially exposing confidential business and customer information (NVD).

Users should update to a version newer than 5.4.1 once available. The vulnerability has been identified and documented in the WordPress plugin repository (WordPress Plugin).