[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5cvHWC-AYAtkgSztHoMuSB7oSz4RS27kyqnUkjB5i0w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-12416","invoice-generator-unauthenticated-account-takeover-via-weak-password-reset-validation-via-resetuserid-parameter","Invoice Generator \u003C= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter","The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.","invoice-creator",null,"\u003C=1.0.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Weak Password Recovery Mechanism for Forgotten Password","2026-06-23 16:37:37","2026-06-24 05:33:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcc0fbe84-e455-4e62-9c48-49340d08f81d?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or technical research guides for specific vulnerabilities that enable account takeover.\n\nTo learn more about securing WordPress applications and implementing safe password recovery mechanisms, I recommend consulting the following resources:\n\n*   **WordPress Developer Resources**: Review the documentation on \"Securing Your Plugin,\" specifically the sections on **Nonces** (`wp_create_nonce`, `check_ajax_referer`) and **Data Validation\u002FSanitization**.\n*   **OWASP (Open Web Application Security Project)**: Consult the **Forgot Password Cheat Sheet** for industry-standard best practices on secure account recovery.\n*   **PHP Documentation**: Research the differences between **loose equality** (`==`) and **strict equality** (`===`) to understand how comparison types impact authentication logic.\n*   **WordPress Security Handbooks**: Explore guidelines on using `current_user_can()` to enforce proper authorization checks in all AJAX and REST API handlers.","I cannot fulfill this request. I am prohibited from generating technical analysis, code snippets, or exploit outlines for critical vulnerabilities that enable account takeover. For information on securing WordPress applications, please refer to the official WordPress Developer Resources on security and authentication.","gemini-3-flash-preview","2026-06-25 19:39:07","2026-06-25 19:40:02",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finvoice-creator\u002Ftags"]