A missing capability check in the Invoice Generator plugin for WordPress lets unauthenticated attackers hijack any account, including administrators, by changing its email address and abusing the password reset flow.
What Is It
CVE-2026-12415 is a privilege escalation flaw (CWE-269) in the Invoice Generator plugin for WordPress, affecting all versions up to and including 1.0.0. The pravel_invoice_edit_account() AJAX handler is exposed through wp_ajax_nopriv_pravel_invoice_edit_account, meaning it is reachable without authentication. It accepts an attacker-controlled user_id and user_email from POST data and passes them to wp_update_user() without verifying authentication, ownership, or a nonce. An attacker can therefore overwrite the email address of any user and then trigger WordPress's standard password reset flow to seize control of the targeted account.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is exploitable over the network, requires low attack complexity, and needs no privileges or user interaction. Because the flaw allows takeover of administrator accounts, successful exploitation can hand an attacker full control of the affected WordPress site, with high impact to confidentiality, integrity, and availability.
What's Vulnerable
- Vendor: pravel
- Product: Invoice Generator plugin for WordPress
- Affected versions: all versions through and including 1.0.0
The root cause sits in the plugin's user-manage-function.php, where the account-edit handler runs without an authentication, ownership, or nonce check.
Patch Status
The supplied NVD record (published 2026-06-27, status "Received") lists no fixed version and no patched release. No CISA KEV entry was provided, so active exploitation is not confirmed in the available source material. Until a fixed version is verified, the prudent action is to deactivate and remove the Invoice Generator plugin.