Skip to main content

WordPress CVE-2026-2343

| EUVD-2026-15188 MEDIUM
2026-03-25 WPScan GHSA-w7c9-8pqp-97mg
WordPress Information Disclosure
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 25, 2026 - 15:41 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 06:15 euvd
EUVD-2026-15188
Analysis Generated
Mar 25, 2026 - 06:15 vuln.today
CVE Published
Mar 25, 2026 - 06:00 nvd
MEDIUM 5.3

DescriptionCVE.org

The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.

AnalysisAI

The PeproDev Ultimate Invoice WordPress plugin through version 2.2.5 contains an information disclosure vulnerability in its bulk download invoices feature, which generates ZIP archives with predictably named files containing exported invoice PDFs. An unauthenticated or low-privileged attacker can brute force the predictable ZIP file naming scheme to retrieve and download archives containing sensitive personally identifiable information (PII) from invoices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability represents a significant real-world risk despite the absence of CVSS and EPSS scores in the provided intelligence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WordPress site using the PeproDev Ultimate Invoice plugin and begins brute forcing common patterns for the plugin's ZIP archive file names (such as sequential numbering or timestamp-based naming). Within minutes, the attacker identifies valid archive names and downloads multiple ZIP files containing exported invoices with PII data. …
Remediation Users must immediately upgrade the PeproDev Ultimate Invoice plugin to a version newer than 2.2.5 once a patched version is released by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-2343 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy