CVE-2026-12415

CRITICAL 9.8

Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.

CWE	CWE-269
Vendor	pravel
Product	invoice generator
Published	Jun 27, 2026

Stay Ahead of the Next One

Get instant alerts for pravel invoice generator

Be the first to know when new critical vulnerabilities affecting pravel invoice generator are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

pravel / Invoice Generator

0 ≤ 1.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ee045d0d-101a-4ae2-b209-4a4865eec195?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L193 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L184 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L203

Credits

Alyudin Nafiie