Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Unauthenticated RCE in an internet-reachable WordPress plugin endpoint with code execution under the PHP user affecting the wider host, so AV:N/AC:L/PR:N/UI:N/S:C and full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
AnalysisAI
Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.
Technical ContextAI
Easy Invoice is a WordPress plugin published by Mantrabrain (CPE cpe:2.3:a:mantrabrain:easy_invoice) used to generate and manage invoices inside WordPress sites. The root cause is CWE-94 (Improper Control of Generation of Code), meaning attacker-controlled input is incorporated into a code execution context - typically a PHP eval, unsafe deserialization, dynamic include/require, or callable invocation - without sanitization. Because the plugin runs inside the WordPress request lifecycle, code executes with the privileges of the PHP-FPM/web server user, granting access to wp-config.php database credentials and the wp-content directory.
RemediationAI
Patch available per vendor advisory - upgrade Easy Invoice to a release newer than 2.1.19 as published by Mantrabrain on the WordPress plugin repository; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-1-19-remote-code-execution-rce-vulnerability for the exact fixed version. If immediate upgrade is not possible, deactivate and delete the Easy Invoice plugin (trade-off: invoice generation functionality is lost until replaced); alternatively, place the site behind a WAF such as Patchstack or Wordfence with the rule for this CVE enabled and block external requests to wp-admin/admin-ajax.php and wp-content/plugins/easy-invoice/ endpoints (trade-off: legitimate admin invoice workflows may break). After mitigation, rotate WordPress admin and database credentials and audit wp-content/uploads and the filesystem for webshells, because pre-disclosure scanning may already have occurred.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36844
GHSA-jwwx-7m25-m3h7