CVE-2026-2343 - Vulnerability Details

- PeproDev Ultimate Invoice <= 2.2.5 - Unauthenticated Invoice Archive Download

Description

The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.

Published: 2026-03-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated user can trigger the bulk download feature of the PeproDev Ultimate Invoice WordPress plugin (versions up to 2.2.5) to produce ZIP archives of exported invoice PDFs. The archives are named predictably, enabling brute‑force enumeration of the ZIP files and the retrieval of personally identifiable information, including financial details. This results in a disclosure of sensitive data, compromising confidentiality.

Affected Systems

The vulnerability affects the PeproDev Ultimate Invoice WordPress plugin on WordPress sites, specifically all releases up to and including version 2.2.5. Sites running any of those plugin versions are susceptible to unauthenticated archive download.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires no credentials; an attacker only needs to send HTTP requests to the bulk‑download endpoint and systematically try the predictable ZIP names. Successful enumeration would expose a large volume of PII. While the immediate risk to a single site may be modest, the potential for mass data leakage makes this a significant concern for administrators.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

PeproDev Ultimate Invoice

unknown

Version	Status	Constraints
`0`	affected	≤ 2.2.5

No data.

Vendor Product Confidence Versions

Peprodev Ultimate Invoice

85%

Version	Status	Scheme	Platform
`[0,2.2.5]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the plugin to a version newer than 2.2.5 when an update becomes available.
If an upgrade cannot be applied immediately, disable or restrict the bulk invoice download feature in the plugin settings or via server‑side access controls.
Review the plugin’s version and apply any reported security advisories from the vendor.
Monitor WordPress access logs for repeated or suspicious download requests.
If the plugin is not essential, consider removing it from the site.

Generated by OpenCVE AI on March 27, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://wpscan.com/vulnerability/ac1572ca-7994-401d-a268-6a8773e60ab1/

History

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-287

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Fri, 27 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-287

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-287

Wed, 25 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Peprodev Ultimate Invoice Peprodev Ultimate Invoice peprodev Ultimate Invoice Wordpress Wordpress wordpress
Vendors & Products		Peprodev Ultimate Invoice Peprodev Ultimate Invoice peprodev Ultimate Invoice Wordpress Wordpress wordpress

Wed, 25 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.
Title		PeproDev Ultimate Invoice <= 2.2.5 - Unauthenticated Invoice Archive Download
References		https://wpscan.com/vulnerability/ac1572ca-7994-401d-a268-6a8773e60ab1/

Subscriptions

Peprodev Ultimate Invoice Peprodev Ultimate Invoice

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-03-25T06:00:02.327Z

Updated: 2026-04-02T12:39:57.633Z

Reserved: 2026-02-11T14:13:06.230Z

Link: CVE-2026-2343

Vulnrichment

Updated: 2026-03-25T13:04:49.984Z

NVD

Status : Deferred

Published: 2026-03-25T06:16:28.407

Modified: 2026-04-15T15:05:47.827

Link: CVE-2026-2343

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-29T20:28:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object