CVE-2026-8611 - Vulnerability Details

- Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter

Description

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.

Published: 2026-06-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Klamra Paycal for Aspaclaria plugin for WordPress contains an insecure direct object reference that allows authenticated users with subscriber or higher privileges to download any customer invoice by specifying an arbitrary 'invoice_id'. This flaw permits attackers to see sensitive billing personal data such as full names, email addresses, phone numbers, order totals, line items and customer notes of other customers. The vulnerability arises from a missing server‑side check on the object identifier, exposing PII in the downloaded invoices.

Affected Systems

Vulnerable installations are those running any version of the Klamra Paycal for Aspaclaria plugin up to and including 1.1.4 on WordPress. The affected component is the download functionality that accepts an 'invoice_id' parameter.

Risk and Exploitability

The flaw carries a CVSS score of 4.3, indicating a moderate risk level. Because the attack requires an authenticated WordPress session with subscriber‑level access, attackers must first compromise or legitimately obtain site credentials. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. No public exploits are reported, but the attack surface is exposed to any authenticated user on the site, making it a potential internal threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

klamra22

Klamra Paycal for Aspaclaria

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Klamra Paycal for Aspaclaria plugin to a version that fixes the IDOR flaw (any release newer than 1.1.4 if available).
If an update is not immediately available, modify the plugin code or use a security plugin to enforce a server‑side check that the logged‑in user owns the requested invoice before allowing download.
Disable or obfuscate sequential 'invoice_id' values in URLs to prevent enumeration of invoices by attackers.

Generated by OpenCVE AI on June 6, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/render.php#L72
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7
https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/render.php#L72
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3555026%40klamra-paycal-for-aspaclaria&new=3555026%40klamra-paycal-for-aspaclaria&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b07dc6ff-f88d-4c5a-8cd5-7c20f1755ece?source=cve

History

Sat, 06 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 06 Jun 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
Title		Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4 https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7 https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/render.php#L72 https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4 https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7 https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/render.php#L72 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3555026%40klamra-paycal-for-aspaclaria&new=3555026%40klamra-paycal-for-aspaclaria&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b07dc6ff-f88d-4c5a-8cd5-7c20f1755ece?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-06T03:28:25.476Z

Updated: 2026-06-06T11:42:22.209Z

Reserved: 2026-05-14T16:04:08.456Z

Link: CVE-2026-8611

Vulnrichment

Updated: 2026-06-06T11:42:16.959Z

NVD

Status : Received

Published: 2026-06-06T05:16:29.383

Modified: 2026-06-06T05:16:29.383

Link: CVE-2026-8611

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T06:30:14Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object