Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network AJAX endpoint (AV:N/PR:N/UI:N) with trivial exploitation (AC:L) yields full admin takeover, giving total C/I/A impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.
Articles & Coverage 2
AnalysisAI
Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the Invoice Generator plugin (≤1.0.0) be installed and active and that /wp-admin/admin-ajax.php be reachable over the network - the default deployment state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All authoritative signals point the same direction: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) reflects a network-reachable, low-complexity, unauthenticated, no-interaction attack with full confidentiality, integrity, and availability impact once an admin account is taken over. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates the site's admin user ID (commonly 1, or via the REST users endpoint), then sends a single unauthenticated POST to /wp-admin/admin-ajax.php with action=pravel_invoice_edit_account, user_id of the administrator, and user_email set to an attacker-controlled mailbox. The handler updates the admin's email without authentication; the attacker then requests a WordPress password reset, receives the link at their mailbox, sets a new password, and logs in as administrator. … |
| Remediation | No fixed version is stated in the provided data, so treat this as: no vendor-released patched version independently confirmed at time of analysis - monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ee045d0d-101a-4ae2-b209-4a4865eec195?source=cve) and the plugin page for an update beyond 1.0.0 and apply it immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Pravel Invoice Generator plugin and immediately disable or remove it from production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Invoice Generator
View allSame weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39943
GHSA-f3q2-677p-c93v