CVE Catalog

CVE-2026-12415

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.66%

47th percentile — higher than 47% of all known CVEs

Summary

The Invoice Generator plugin for WordPress up to version 1.0.0 contains a privilege escalation vulnerability. Missing capability checks in the pravel_invoice_edit_account() AJAX action allow unauthenticated attackers to change the email address of any user, including administrators, and then use the password reset flow to take over the account.

Risk Assessment

The organization is at risk of complete administrative account takeover by an unauthenticated attacker, potentially leading to data theft, website defacement, or further attacks on the infrastructure.

Recommendation

Immediately update the Invoice Generator plugin to the latest available version. If no update is available, temporarily disable the plugin until a patch is released.

Original NVD description (English source)

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS