Skip to main content

Invoice Generator plugin CVE-2026-12416

| EUVDEUVD-2026-38680 CRITICAL
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-06-24 Wordfence GHSA-5656-6hgp-4v5v
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network POST with no user interaction trivially takes over admin accounts, yielding full confidentiality, integrity, and availability impact on the WordPress site.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:54 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
CRITICAL 9.8

DescriptionCVE.org

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta - a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

AnalysisAI

Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv pravel_invoice_change_password() AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Invoice Generator
Delivery
Send unauthenticated POST to admin-ajax.php
Exploit
Bypass empty activation code check
Install
Overwrite administrator password
C2
Log in as administrator
Execute
Upload malicious plugin for RCE
Impact
Full site and host compromise

Vulnerability AssessmentAI

Exploitation Requires only that the Invoice Generator plugin (Pravel) be installed and activated on a reachable WordPress site, and that the targeted account (e.g., user ID 1) has never completed a forgot-password flow through this plugin - leaving the `forgot_email` user meta empty, which is the default state for administrators. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is consistent with the description - the attack is a single unauthenticated HTTP POST to admin-ajax.php with no preconditions beyond the plugin being installed and the target administrator never having used the forgot-password flow (the default state). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates a known WordPress site running Invoice Generator, then sends a single POST to /wp-admin/admin-ajax.php with action=pravel_invoice_change_password, reset_user_id=1 (the default admin), and an attacker-chosen new password, omitting the reset_activation_code field. The loose-equality check passes against the empty forgot_email meta, the admin password is overwritten, and the attacker logs in as administrator - from there, standard WordPress post-exploitation (plugin upload, theme editor) yields RCE on the host.
Remediation No vendor-released patch identified at time of analysis; the plugin's latest published version (1.0.0) remains vulnerable per the references. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Invoice Generator; immediately deactivate and delete the plugin; audit all user accounts for unauthorized changes or password resets. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy