A critical flaw in the Invoice Generator plugin for WordPress lets unauthenticated attackers reset any user's password, including administrators, and seize full control of affected sites.
What Is It
CVE-2026-12416 is a critical (CVSS 9.8) account takeover vulnerability in the Invoice Generator plugin for WordPress, classified as CWE-640 (Improper Recovery of Forgotten Password). The flaw lives in the plugin's pravel_invoice_change_password() function, which is registered as a nopriv AJAX handler with no nonce verification and no authorization check. The function compares the attacker-supplied reset_activation_code POST parameter against the target user's stored forgot_email user meta using a loose equality check. For any user who has never initiated a forgot-password request, administrators under normal conditions, that stored value is empty, so the comparison trivially evaluates to true ('' == '').
Why It Matters
The vector is fully unauthenticated and network-reachable, with low attack complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N). An attacker supplies an arbitrary user ID via the reset_user_id POST parameter, omits the activation code to bypass the check entirely, and sets that account's password to a value of their choosing. This enables complete takeover of any account on the site, including administrator accounts; yielding high impact to confidentiality, integrity, and availability alike.
What's Vulnerable
- Plugin: Invoice Generator for WordPress (vendor: pravel)
- Affected versions: All versions up to and including 1.0.0
Patch Status
The supplied source material does not list a fixed version or vendor patch. It also contains no CISA KEV entry, so there is no confirmation of active exploitation at this time. Given the unauthenticated, critical nature of the flaw, administrators should deactivate and remove the plugin until a patched release is confirmed.