Skip to main content
CVE-2026-12415 CRITICAL POC Act Now

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.

Privilege Escalation WordPress Invoice Generator
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy