Skip to main content

Easy Invoice CVE-2026-48836

| EUVDEUVD-2026-36844 CRITICAL
Code Injection (CWE-94)
2026-06-15 Patchstack GHSA-jwwx-7m25-m3h7
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Unauthenticated RCE in an internet-reachable WordPress plugin endpoint with code execution under the PHP user affecting the wider host, so AV:N/AC:L/PR:N/UI:N/S:C and full CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:50 vuln.today

DescriptionCVE.org

Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.

AnalysisAI

Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.

Technical ContextAI

Easy Invoice is a WordPress plugin published by Mantrabrain (CPE cpe:2.3:a:mantrabrain:easy_invoice) used to generate and manage invoices inside WordPress sites. The root cause is CWE-94 (Improper Control of Generation of Code), meaning attacker-controlled input is incorporated into a code execution context - typically a PHP eval, unsafe deserialization, dynamic include/require, or callable invocation - without sanitization. Because the plugin runs inside the WordPress request lifecycle, code executes with the privileges of the PHP-FPM/web server user, granting access to wp-config.php database credentials and the wp-content directory.

RemediationAI

Patch available per vendor advisory - upgrade Easy Invoice to a release newer than 2.1.19 as published by Mantrabrain on the WordPress plugin repository; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-1-19-remote-code-execution-rce-vulnerability for the exact fixed version. If immediate upgrade is not possible, deactivate and delete the Easy Invoice plugin (trade-off: invoice generation functionality is lost until replaced); alternatively, place the site behind a WAF such as Patchstack or Wordfence with the rule for this CVE enabled and block external requests to wp-admin/admin-ajax.php and wp-content/plugins/easy-invoice/ endpoints (trade-off: legitimate admin invoice workflows may break). After mitigation, rotate WordPress admin and database credentials and audit wp-content/uploads and the filesystem for webshells, because pre-disclosure scanning may already have occurred.

Share

CVE-2026-48836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy