Easy Invoice – Invoice Generator, PDF Quotes & Payments <= 2.1.19 - Unauthenticated Remote Code Execution
Description
The Easy Invoice – Invoice Generator, PDF Quotes & Payments plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.19. This makes it possible for unauthenticated attackers to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v2.1.20
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48836 (Easy Invoice RCE) ## 1. Vulnerability Summary The **Easy Invoice** plugin for WordPress (<= 2.1.19) is vulnerable to **Unauthenticated Remote Code Execution** due to improper control of code generation during PDF document creation. The plugin registers…
Show full research plan
Exploitation Research Plan - CVE-2026-48836 (Easy Invoice RCE)
1. Vulnerability Summary
The Easy Invoice plugin for WordPress (<= 2.1.19) is vulnerable to **Unauthenticated Remote Code Execution** due to improper control of code generation during PDF document creation. The plugin registers unauthenticated AJAX handlers (nopriv_easy_invoice_generate_pdf) that process user-supplied HTML or template data. If the underlying PDF library (likely dompdf) is configured with PHP execution enabled (isPhpEnabled => true), an attacker can inject and execute arbitrary PHP code on the server.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
easy_invoice_generate_pdforeasy_invoice_generate_quote_pdf - Authentication: None (Unauthenticated via
noprivhook) - Preconditions: The plugin must be active. A valid Quote or Invoice ID may be required if the handler validates existence, though the vulnerability likely resides in the processing of arbitrary
htmlordataparameters sent to the PDF engine.
3. Code Flow
- Registration:
includes/Admin/EasyInvoiceAjax.phpregisters the AJAX actions:add_action('wp_ajax_nopriv_easy_invoice_generate_pdf', array($this, 'generateInvoicePdf')); add_
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.