CVE-2026-48836

Easy Invoice – Invoice Generator, PDF Quotes & Payments <= 2.1.19 - Unauthenticated Remote Code Execution

criticalImproper Control of Generation of Code ('Code Injection')
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
2.1.20
Patched in
11d
Time to patch

Description

The Easy Invoice – Invoice Generator, PDF Quotes & Payments plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.19. This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.1.19
PublishedJune 1, 2026
Last updatedJune 11, 2026
Affected plugineasy-invoice

What Changed in the Fix

Changes introduced in v2.1.20

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-48836 (Easy Invoice RCE) ## 1. Vulnerability Summary The **Easy Invoice** plugin for WordPress (<= 2.1.19) is vulnerable to **Unauthenticated Remote Code Execution** due to improper control of code generation during PDF document creation. The plugin registers…

Show full research plan

Exploitation Research Plan - CVE-2026-48836 (Easy Invoice RCE)

1. Vulnerability Summary

The Easy Invoice plugin for WordPress (<= 2.1.19) is vulnerable to **Unauthenticated Remote Code Execution** due to improper control of code generation during PDF document creation. The plugin registers unauthenticated AJAX handlers (nopriv_easy_invoice_generate_pdf) that process user-supplied HTML or template data. If the underlying PDF library (likely dompdf) is configured with PHP execution enabled (isPhpEnabled => true), an attacker can inject and execute arbitrary PHP code on the server.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: easy_invoice_generate_pdf or easy_invoice_generate_quote_pdf
  • Authentication: None (Unauthenticated via nopriv hook)
  • Preconditions: The plugin must be active. A valid Quote or Invoice ID may be required if the handler validates existence, though the vulnerability likely resides in the processing of arbitrary html or data parameters sent to the PDF engine.

3. Code Flow

  1. Registration: includes/Admin/EasyInvoiceAjax.php registers the AJAX actions:
    add_action('wp_ajax_nopriv_easy_invoice_generate_pdf', array($this, 'generateInvoicePdf'));
    add_
    

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.