Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network POST with no user interaction trivially takes over admin accounts, yielding full confidentiality, integrity, and availability impact on the WordPress site.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta - a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
Articles & Coverage 4
AnalysisAI
Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv pravel_invoice_change_password() AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires only that the Invoice Generator plugin (Pravel) be installed and activated on a reachable WordPress site, and that the targeted account (e.g., user ID 1) has never completed a forgot-password flow through this plugin - leaving the `forgot_email` user meta empty, which is the default state for administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is consistent with the description - the attack is a single unauthenticated HTTP POST to admin-ajax.php with no preconditions beyond the plugin being installed and the target administrator never having used the forgot-password flow (the default state). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates a known WordPress site running Invoice Generator, then sends a single POST to /wp-admin/admin-ajax.php with action=pravel_invoice_change_password, reset_user_id=1 (the default admin), and an attacker-chosen new password, omitting the reset_activation_code field. The loose-equality check passes against the empty forgot_email meta, the admin password is overwritten, and the attacker logs in as administrator - from there, standard WordPress post-exploitation (plugin upload, theme editor) yields RCE on the host. |
| Remediation | No vendor-released patch identified at time of analysis; the plugin's latest published version (1.0.0) remains vulnerable per the references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Invoice Generator; immediately deactivate and delete the plugin; audit all user accounts for unauthorized changes or password resets. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Invoice Generator
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38680
GHSA-5656-6hgp-4v5v