I’m very sorry about that, That’s quite serious indeed. Following the information you shared with us by email, these invoices seem to be stored in a location that is not governed by our plugin, following this pattern: https://yoursite.com/wp-content/uploads/wp-offload-ses/xxxxxxxxx/invoice-xxxxxxxx.pdf
This is stored in a folder from wp-offload-ses, and that folder appears to be an open dir that you can browse:
https://yoursite.com/wp-content/uploads/wp-offload-ses/
In fact, the whole uploads folder for that site is an open dir: https://yoursite.com/wp-content/uploads/
Meaning that all files on the site can be browsed (and downloaded) without requiring any keys.
You can also see that the folder that the PDF Invoice plugin does use for temporary files, is properly protected:
https://yoursite.com/wp-content/uploads/wpo_wcpdf/attachments/
Our plugin places an index.php as well as an .htaccess file inside the folder which prevents it from being browsable by someone trying their luck. This is a backup measure we put into place in case the server has not been configured to block browsing files (like yours).
Your first step should be to contact your host and tell them to disable these folder indexes.
Next, you will want to contact Google and ask them to remove all these indexed results.
And as bad as it is, I think officially you may need to report this as a data leak, at least to the affected customers. Some of the invoices seem to be from European customers and they would be covered by GDPR.
I understand that it’s an extremely unpleasant situation (to put it mildly), I hope that with the above information you can close this quickly.
Best of luck!
