Description
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
Published: 2026-06-15
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Easy Invoice WordPress plugin allows an unauthenticated attacker to execute arbitrary code on a target site. This remote code execution is a classic command‑injection flaw (CWE‑94). Based on the description, it is inferred that the attacker can exploit the vulnerability through crafted HTTP requests, giving the attacker full control over the compromised WordPress installation, including data exfiltration, site defacement, or further lateral movement. The impact is equivalent to a complete takeover of the affected site and any data stored therein.

Affected Systems

All WordPress sites that run the MantraBrain Easy Invoice plugin version 2.1.19 are affected. The vulnerability exists in the provided plugin package, irrespective of the WordPress core version; any site that has not upgraded beyond 2.1.19 remains at risk.

Risk and Exploitability

The CVSS score of 10 indicates an extremely severe vulnerability, while the EPSS score of <1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, which may reflect that there have been no widespread reports yet. Nevertheless, the ability to execute commands without authentication makes it a high‑priority threat; attackers may prioritize this vulnerability once it is publicly disclosed. Based on the description, it is inferred that crafted HTTP requests are used to trigger the vulnerability. The likelihood of exploitation depends on site visibility, network exposure, and the presence of the vulnerable plugin, but the potential damage warrants immediate action.

Generated by OpenCVE AI on June 18, 2026 at 00:39 UTC.

Remediation

Vendor Solution

Update the WordPress Easy Invoice Plugin to the latest available version (at least 2.1.20).


OpenCVE Recommended Actions

  • Update the Easy Invoice plugin to version 2.1.20 or later, which removes the vulnerable code path.
  • If an update is not immediately possible, remove or deactivate the Easy Invoice plugin to eliminate the attack surface until a fix can be applied.
  • Apply general WordPress hardening practices: restrict PHP execution permissions, maintain an up‑to‑date backup strategy, and monitor logs for anomalous behavior that could indicate exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mantrabrain
Mantrabrain easy Invoice
Wordpress
Wordpress wordpress
Vendors & Products Mantrabrain
Mantrabrain easy Invoice
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
Title WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Mantrabrain Easy Invoice
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:39:31.141Z

Reserved: 2026-05-25T14:28:27.466Z

Link: CVE-2026-48836

cve-icon Vulnrichment

Updated: 2026-06-16T13:37:24.235Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:15.970

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:58Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')