Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network AJAX endpoint requires no auth (nonce is public); integrity-only impact limited to quote state changes; no confidentiality or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invoice_decline_quote AJAX actions via wp_ajax_nopriv_ hooks and relying solely on a quote-scoped nonce that is rendered into the publicly accessible single quote template, combined with an ownership check that is gated behind an off-by-default Pro option (easy_invoice_pro_restrict_quote_to_client). This makes it possible for unauthenticated attackers to accept or decline arbitrary published quotes - and, depending on the configured accept action, automatically convert them into invoices (and even email them to the client) - by harvesting the per-quote nonce from the public quote page and submitting it to admin-ajax.
AnalysisAI
Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Easy Invoice plugin to be installed at version 2.1.19 or below and at least one quote to be published with a publicly accessible quote page that renders the per-quote nonce in the HTML. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects the low attack complexity and absence of authentication requirements, though the I:L rating may understate business impact in environments where automatic invoice creation and client email notifications are configured on quote acceptance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running Easy Invoice by detecting the plugin's public quote URLs (e.g., /quotes/quote-12345). They load the quote page, extract the nonce value from the rendered HTML template, then craft a POST request to /wp-admin/admin-ajax.php with action=easy_invoice_accept_quote and the harvested nonce. … |
| Remediation | Upgrade Easy Invoice to version 2.2.0 or later, which contains the corrected authorization logic in QuoteController.php as documented in the WordPress SVN changeset at https://plugins.trac.wordpress.org/changeset/3517910/easy-invoice/trunk/includes/Controllers/QuoteController.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42567
GHSA-q2rr-fm39-2rpw