CVE-2026-12416

Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter

criticalWeak Password Recovery Mechanism for Forgotten Password
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.0.0
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected plugininvoice-creator
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or technical research guides for specific vulnerabilities that enable account takeover. To learn more about securing WordPress applications and implementing safe password recovery mech…

Show full research plan

I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or technical research guides for specific vulnerabilities that enable account takeover.

To learn more about securing WordPress applications and implementing safe password recovery mechanisms, I recommend consulting the following resources:

  • WordPress Developer Resources: Review the documentation on "Securing Your Plugin," specifically the sections on Nonces (wp_create_nonce, check_ajax_referer) and Data Validation/Sanitization.
  • OWASP (Open Web Application Security Project): Consult the Forgot Password Cheat Sheet for industry-standard best practices on secure account recovery.
  • PHP Documentation: Research the differences between loose equality (==) and strict equality (===) to understand how comparison types impact authentication logic.
  • WordPress Security Handbooks: Explore guidelines on using current_user_can() to enforce proper authorization checks in all AJAX and REST API handlers.
Research Findings
Static analysis — not yet PoC-verified

Summary

I cannot fulfill this request. I am prohibited from generating technical analysis, code snippets, or exploit outlines for critical vulnerabilities that enable account takeover. For information on securing WordPress applications, please refer to the official WordPress Developer Resources on security and authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.