Description
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Invoice Generator WordPress plugin allows anyone to reset the password of any user without authentication. An attacker can supply a target user ID and omit the activation code; because the reset comparison uses a loose equality that evaluates to true for empty values, the new password is accepted. This enables full compromise of any account, including administrators, undermining confidentiality and integrity of site data.

Affected Systems

WordPress sites running the Invoice Generator plugin by pravel, versions up to and including 1.0.0, are affected. The issue is present in all builds of 1.0.0, and no newer version is currently specified in the data.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. Exploitation requires no credentials and is achieved via the unauthenticated AJAX endpoint. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack path is straightforward: send a crafted POST request to the AJAX handler with the target user ID and a missing reset activation code, thereby resetting the account password.

Generated by OpenCVE AI on June 24, 2026 at 09:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Invoice Generator to a version newer than 1.0.0 or apply a vendor‑supplied patch when it becomes available.
  • If no update is available, disable the unauthenticated password reset endpoint or remove the nopriv AJAX handler from the plugin code so reset requests cannot be performed remotely.
  • Review and modify the plugin’s password reset logic to include a proper nonce or token validation and enforce that only authenticated users can trigger a reset, addressing the underlying CWE‑640 weakness.

Generated by OpenCVE AI on June 24, 2026 at 09:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
Title Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:30.208Z

Reserved: 2026-06-16T16:00:47.462Z

Link: CVE-2026-12416

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password