Skip to main content

Easy Invoice CVE-2026-9021

| EUVDEUVD-2026-42567 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-q2rr-fm39-2rpw
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network AJAX endpoint requires no auth (nonce is public); integrity-only impact limited to quote state changes; no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 12:01 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
MEDIUM 5.3

DescriptionCVE.org

The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invoice_decline_quote AJAX actions via wp_ajax_nopriv_ hooks and relying solely on a quote-scoped nonce that is rendered into the publicly accessible single quote template, combined with an ownership check that is gated behind an off-by-default Pro option (easy_invoice_pro_restrict_quote_to_client). This makes it possible for unauthenticated attackers to accept or decline arbitrary published quotes - and, depending on the configured accept action, automatically convert them into invoices (and even email them to the client) - by harvesting the per-quote nonce from the public quote page and submitting it to admin-ajax.

AnalysisAI

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Browse public quote page URL
Delivery
Extract per-quote nonce from rendered HTML
Exploit
POST to wp-admin/admin-ajax.php with harvested nonce
Execution
Bypass disabled ownership check (Pro flag off by default)
Persist
Accept or decline arbitrary published quote
Impact
Trigger automated invoice creation and client email notification

Vulnerability AssessmentAI

Exploitation Exploitation requires the Easy Invoice plugin to be installed at version 2.1.19 or below and at least one quote to be published with a publicly accessible quote page that renders the per-quote nonce in the HTML. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects the low attack complexity and absence of authentication requirements, though the I:L rating may understate business impact in environments where automatic invoice creation and client email notifications are configured on quote acceptance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running Easy Invoice by detecting the plugin's public quote URLs (e.g., /quotes/quote-12345). They load the quote page, extract the nonce value from the rendered HTML template, then craft a POST request to /wp-admin/admin-ajax.php with action=easy_invoice_accept_quote and the harvested nonce. …
Remediation Upgrade Easy Invoice to version 2.2.0 or later, which contains the corrected authorization logic in QuoteController.php as documented in the WordPress SVN changeset at https://plugins.trac.wordpress.org/changeset/3517910/easy-invoice/trunk/includes/Controllers/QuoteController.php. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy