Skip to main content

Invoice Generator CVE-2026-12415

| EUVDEUVD-2026-39943 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-27 Wordfence GHSA-f3q2-677p-c93v
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network AJAX endpoint (AV:N/PR:N/UI:N) with trivial exploitation (AC:L) yields full admin takeover, giving total C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 04:59 vuln.today
CVE Published
Jun 27, 2026 - 04:30 cve.org
CRITICAL 9.8

DescriptionCVE.org

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.

AnalysisAI

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate target admin user_id
Delivery
POST to admin-ajax.php pravel_invoice_edit_account
Exploit
wp_update_user overwrites admin email
Execution
Trigger WordPress password reset
Persist
Receive reset link, set new password
Impact
Log in as administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Invoice Generator plugin (≤1.0.0) be installed and active and that /wp-admin/admin-ajax.php be reachable over the network - the default deployment state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All authoritative signals point the same direction: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) reflects a network-reachable, low-complexity, unauthenticated, no-interaction attack with full confidentiality, integrity, and availability impact once an admin account is taken over. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates the site's admin user ID (commonly 1, or via the REST users endpoint), then sends a single unauthenticated POST to /wp-admin/admin-ajax.php with action=pravel_invoice_edit_account, user_id of the administrator, and user_email set to an attacker-controlled mailbox. The handler updates the admin's email without authentication; the attacker then requests a WordPress password reset, receives the link at their mailbox, sets a new password, and logs in as administrator. …
Remediation No fixed version is stated in the provided data, so treat this as: no vendor-released patched version independently confirmed at time of analysis - monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ee045d0d-101a-4ae2-b209-4a4865eec195?source=cve) and the plugin page for an update beyond 1.0.0 and apply it immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Pravel Invoice Generator plugin and immediately disable or remove it from production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy