CVE-2026-9857
Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions
CVSS Score
4.3
EPSS Score
0.5%
EPSS Percentile
38th
The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin's API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.
| CWE | CWE-862 |
| Vendor | saskaita123 |
| Product | invoice123 |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for saskaita123 invoice123
Be the first to know when new medium vulnerabilities affecting saskaita123 invoice123 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
saskaita123 / Invoice123
0 โค 1.7.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4e685a-0462-447f-a639-4f95d5aa27ab?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L26 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L65 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_ApiKey.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_InvoiceSettings.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.7.0/includes/pages/S123_ApiKey.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L26 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L65 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_ApiKey.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_InvoiceSettings.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/saskaita123-lt/tags/1.6.8/includes/pages/S123_ApiKey.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3594935%40saskaita123-lt&new=3594935%40saskaita123-lt
Credits
Benedictus Jovan (aillesiM)