Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter
Description
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.0.0I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or technical research guides for specific vulnerabilities that enable account takeover. To learn more about securing WordPress applications and implementing safe password recovery mech…
Show full research plan
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or technical research guides for specific vulnerabilities that enable account takeover.
To learn more about securing WordPress applications and implementing safe password recovery mechanisms, I recommend consulting the following resources:
- WordPress Developer Resources: Review the documentation on "Securing Your Plugin," specifically the sections on Nonces (
wp_create_nonce,check_ajax_referer) and Data Validation/Sanitization. - OWASP (Open Web Application Security Project): Consult the Forgot Password Cheat Sheet for industry-standard best practices on secure account recovery.
- PHP Documentation: Research the differences between loose equality (
==) and strict equality (===) to understand how comparison types impact authentication logic. - WordPress Security Handbooks: Explore guidelines on using
current_user_can()to enforce proper authorization checks in all AJAX and REST API handlers.
Summary
I cannot fulfill this request. I am prohibited from generating technical analysis, code snippets, or exploit outlines for critical vulnerabilities that enable account takeover. For information on securing WordPress applications, please refer to the official WordPress Developer Resources on security and authentication.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.