Skip to main content

Klamra Paycal EUVDEUVD-2026-34958

| CVE-2026-8611 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-06 Wordfence GHSA-rwm7-xhj3-2xjv
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 05:22 vuln.today
CVE Published
Jun 06, 2026 - 03:28 nvd
MEDIUM 4.3

DescriptionCVE.org

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.

AnalysisAI

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Technical ContextAI

The vulnerability resides in the invoice download and rendering subsystem of the Klamra Paycal for Aspaclaria WordPress plugin, specifically in 'includes/Modules/Invoices/Legacy/includes/pdf/download.php' and 'includes/render.php'. WordPress stores invoices as post objects identified by sequential integer post IDs. The plugin exposes an 'invoice_id' parameter that is passed directly to the retrieval logic without verifying whether the authenticated user owns the referenced invoice - a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) flaw. Because WordPress post IDs are globally sequential and predictable, an attacker can iterate through integer values to retrieve any invoice in the system. The affected CPE is cpe:2.3:a:klamra22:klamra_paycal_for_aspaclaria:*:*:*:*:*:*:*:*, covering all published versions through 1.1.4, as confirmed by source references to both the 1.0.2 and 1.1.1 plugin tags in the WordPress plugin repository.

RemediationAI

An upstream fix has been committed to the WordPress plugin repository per the changeset reference (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3555026%40klamra-paycal-for-aspaclaria&new=3555026%40klamra-paycal-for-aspaclaria); the specific released patched version number is not independently confirmed from available data, so administrators should update to the latest available version from the WordPress plugin directory and verify the installed version exceeds 1.1.4. As a compensating control pending patching, administrators can disable user registration if not business-critical, removing the easiest path for unauthenticated actors to obtain a subscriber account - note this does not protect against existing registered users. Additionally, access to invoice download endpoints can be restricted at the WAF or server level if the URL pattern for the vulnerable download.php path is known; however, this may break legitimate invoice access for customers. Review server access logs for unusual enumeration patterns against invoice download endpoints to assess whether exploitation has already occurred.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy