Executive Summary
A critical unauthenticated privilege escalation vulnerability has been disclosed in the Invoice Generator plugin for WordPress by developer pravel. The flaw, assigned CVE-2026-12415 with a CVSS 3.1 score of 9.8, allows any unauthenticated remote attacker to take over arbitrary WordPress user accounts — including site administrators — by exploiting a missing capability check on an exposed AJAX handler. No patch is currently available; sites running version 1.0.0 or below should deactivate the plugin immediately.
CVSS Score: 9.8 (Critical)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-12415 |
| CVSS Score | 9.8 (Critical) |
| Type | Missing Capability Check / Privilege Escalation |
| Attack Vector | Network (unauthenticated) |
| Privileges Required | None |
| User Interaction | None |
| CWE | CWE-269 (Improper Privilege Management) |
| Assigned By | Wordfence |
| Researcher | Alyudin Nafiie |
| Published | 2026-06-27 |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| Invoice Generator by pravel | <= 1.0.0 | None available — deactivate immediately |
Technical Analysis
The root cause is the pravel_invoice_edit_account() function registered via the wp_ajax_nopriv_pravel_invoice_edit_account hook. Registering under wp_ajax_nopriv_ exposes the action to completely unauthenticated callers — no cookie, nonce, or session is required.
The vulnerable code path, located in invoice-creator/trunk/lib/user-manage-function.php, accepts an attacker-controlled user_id and user_email parameter and passes them directly to WordPress's wp_update_user() without:
- Verifying the caller is authenticated
- Confirming the caller owns the target account
- Validating a nonce
Attack Chain
1. Attacker identifies a WordPress site with Invoice Generator <= 1.0.0 active
2. Attacker sends unauthenticated POST to wp-admin/admin-ajax.php
action=pravel_invoice_edit_account
user_id=1 (WordPress admin UID — always 1 on default installs)
user_email=attacker@attacker.com
3. Plugin calls wp_update_user() — updates admin email with no auth check
4. Attacker triggers WordPress password reset for the admin account
5. Reset email delivered to attacker-controlled inbox
6. Attacker sets new password — full administrator access achievedImpact of Successful Exploitation
| Impact | Description |
|---|---|
| Full Account Takeover | Complete control of any WordPress user, including all admins |
| Site Defacement | Modify themes, plugins, and content |
| Backdoor Installation | Upload malicious plugins or PHP shells |
| Data Exfiltration | Access all user data, orders, and wp-config.php credentials |
| SEO Spam / Malware Distribution | Inject malicious content visible to site visitors |
| Lateral Movement | Pivot to other sites on shared hosting environments |
Immediate Remediation
Step 1: Deactivate or Remove the Plugin
No patched version exists. The safest action is immediate deactivation:
# Via WP-CLI
wp plugin deactivate invoice-creator
wp plugin delete invoice-creator
# Verify removal
wp plugin list --status=active | grep invoiceOr navigate to WordPress Admin > Plugins > Invoice Generator > Deactivate > Delete.
Step 2: Audit for Existing Compromise
Check whether an attacker has already exploited the flaw:
# Review recent admin account email changes in the database
wp db query "SELECT user_login, user_email, user_registered FROM wp_users WHERE ID=1;"
# Check for unknown administrator accounts
wp user list --role=administrator
# Inspect recent logins and password reset records
wp db query "SELECT * FROM wp_options WHERE option_name IN ('admin_email','new_admin_email');"
# Search for recently uploaded PHP files in plugin/upload directories
find /var/www/html/wp-content/ -name "*.php" -newer /var/www/html/wp-login.php -type fStep 3: Block the AJAX Action at the Web Server (Temporary)
If deactivation is not immediately possible, block the exposed action via Nginx or Apache:
# Nginx — block the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($arg_action = "pravel_invoice_edit_account") {
return 403;
}
}# Apache — block via RewriteRule in .htaccess
RewriteCond %{QUERY_STRING} action=pravel_invoice_edit_account
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]Step 4: Rotate Credentials
If compromise is suspected or confirmed:
- Reset all administrator account passwords
- Rotate database credentials in
wp-config.php - Regenerate WordPress security keys:
wp config shuffle-salts - Audit for backdoors: scan
wp-content/for webshells or unauthorized PHP files - Review user accounts: remove any unknown administrators
Detection Indicators
| Indicator | Description |
|---|---|
POST to admin-ajax.php?action=pravel_invoice_edit_account | Direct exploitation attempt |
Unexpected admin email changes in wp_options | Successful account targeting |
| New administrator accounts not created by known users | Post-exploitation persistence |
PHP files in wp-content/uploads/ | Potential backdoor installation |
| Outbound requests from web server process | Data exfiltration activity |
WAF / IDS Rule (ModSecurity)
SecRule ARGS:action "@streq pravel_invoice_edit_account" \
"id:9999001,phase:2,block,msg:'CVE-2026-12415 Exploitation Attempt',severity:CRITICAL"
Post-Remediation Steps
- Confirm plugin is fully deactivated and deleted
- Scan all administrator accounts for unauthorized email changes
- Verify no unknown admins were added
- Rotate all WordPress and database credentials
- Implement a WAF (Wordfence, Sucuri) for ongoing protection
- Monitor for the release of a patched plugin version
- Consider replacing with an alternative invoicing plugin (e.g., Sliced Invoices, WP Invoice)