The plugin contains a missing capability check in the wp_ajax_nopriv_pravel_invoice_edit_account action, allowing any visitor to submit a user_id and user_email pair that is processed by wp_update_user(). An attacker can change the email address of any user, including administrators, and then use the normal WordPress password‑reset flow to assume that account. The flaw therefore provides a direct path from unauthenticated access to full control of the targeted account and the sites that depend on its privileges, as reflected in the assigned CWE-269. The impact is a complete loss of confidentiality, integrity, and availability for the affected accounts.

The vulnerability affects by pravel, with all releases up through and including version 1.0.0. The flaw resides in the plugin’s AJAX handling code exposed to non‑authenticated users. WordPress instances that use these plugin versions are subject to the flaw.

The CVSS score of 9.8 indicates a critical risk. Because the exploit does not require any authentication, an attacker can launch the attack from any network and simply submit a crafted POST request. No EPSS data is available, but the high CVSS grading and the fact that it is not listed in KEV suggest that this is an unpatched high‑severity vulnerability that could be targeted by opportunistic threat actors. The simplest exploitation route requires only knowledge of the plugin’s AJAX endpoint and the ability to craft a POST payload is significant for any WordPress site that runs the affected plugin version and has not yet applied a patch.