CVE Catalog

CVE-2026-12416

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to and including 1.0.0. The issue arises from the lack of nonce verification and authorization checks in the `pravel_invoice_change_password()` function, allowing for easy bypass of security measures.

Risk Assessment

Attackers can take over any account on the site, including administrator accounts, posing a serious security threat to the organization.

Recommendation

It is recommended to update the plugin to the latest version and implement additional security measures such as nonce verification and authorization for password reset operations.

Original NVD description (English source)

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS