Impact
The vulnerability in the Easy Invoice WordPress plugin allows an unauthenticated attacker to execute arbitrary code on a target site. This remote code execution is a classic command‑injection flaw (CWE‑94). Based on the description, it is inferred that the attacker can exploit the vulnerability through crafted HTTP requests, giving the attacker full control over the compromised WordPress installation, including data exfiltration, site defacement, or further lateral movement. The impact is equivalent to a complete takeover of the affected site and any data stored therein.
Affected Systems
All WordPress sites that run the MantraBrain Easy Invoice plugin version 2.1.19 are affected. The vulnerability exists in the provided plugin package, irrespective of the WordPress core version; any site that has not upgraded beyond 2.1.19 remains at risk.
Risk and Exploitability
The CVSS score of 10 indicates an extremely severe vulnerability, while the EPSS score of <1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, which may reflect that there have been no widespread reports yet. Nevertheless, the ability to execute commands without authentication makes it a high‑priority threat; attackers may prioritize this vulnerability once it is publicly disclosed. Based on the description, it is inferred that crafted HTTP requests are used to trigger the vulnerability. The likelihood of exploitation depends on site visibility, network exposure, and the presence of the vulnerable plugin, but the potential damage warrants immediate action.
OpenCVE Enrichment