Pravel Invoice Generator vulnerabilities
2 known vulnerabilities affecting pravel/invoice_generator.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2
Vulnerabilities
Page 1 of 1
CVE-2026-12416P2CRITICALCVSS 9.8≤ 1.0.02026-06-24
CVE-2026-12416 [CRITICAL] CWE-640 CVE-2026-12416: The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in a
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison betwe
nvd
CVE-2026-12415P2CRITICALCVSS 9.8≤ 1.0.02026-06-27
CVE-2026-12415 [CRITICAL] CWE-269 CVE-2026-12415: The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing ca
The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and
nvd