๐Ÿ” CVE Alert

CVE-2026-9857

MEDIUM 4.3

Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions

CVSS Score
4.3
EPSS Score
0.5%
EPSS Percentile
38th

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin's API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.

CWE CWE-862
Vendor saskaita123
Product invoice123
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for saskaita123 invoice123

Be the first to know when new medium vulnerabilities affecting saskaita123 invoice123 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

saskaita123 / Invoice123
0 โ‰ค 1.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4e685a-0462-447f-a639-4f95d5aa27ab?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L26 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L65 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_ApiKey.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_ApiKey.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L26 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L65 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_ApiKey.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_ApiKey.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3594935%40saskaita123-lt&new=3594935%40saskaita123-lt

Credits

Benedictus Jovan (aillesiM)