CRITICAL🇵🇱 Wersja polska

CVE-2026-12416

CVSS 9.8v3.1pub. 2026-06-24upd. 2026-06-25

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

🤖 AI Analysis
How it works

The `pravel_invoice_change_password()` function is registered as an AJAX handler accessible without authentication (nopriv), does not verify a nonce token or caller permissions. The code compares the value of the `reset_activation_code` parameter with the `forgot_email` field stored in user metadata using loose equality comparison, causing the comparison `'' == ''` to return true for any user who has never initiated a password reset procedure — in practice, this affects administrator accounts under normal conditions. An attacker can specify any user ID through the POST parameter `reset_user_id`, omit the `reset_activation_code` parameter (which causes code verification to trivially pass), and set a new password of their choice for the specified account.

Impact

An unauthenticated attacker can take full control of any account on the WordPress site, including administrator accounts, resulting in complete website compromise (loss of confidentiality, integrity, and availability).

Mitigation & patch

Security patches available from the vendor should be applied according to references. Until an update is available, it is recommended to deactivate and remove the Invoice Generator plugin from all WordPress installations.

Who is affected

Invoice Generator plugin for WordPress in all versions up to and including 1.0.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References