HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12415Published Modified CNA Wordfence

CVE-2026-12415: Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation via account takeover in the Invoice Generator plugin for WordPress (versions up to and including 1.0.0). The vulnerability is reachable over the network with no authentication required: an unauthenticated attacker sends a crafted POST request to the exposed AJAX endpoint, supplying an arbitrary user_id and a replacement email address, which the plugin passes directly to wp_update_user() without any capability check, ownership verification, or nonce validation. Successful exploitation lets the attacker change any user's email address, including site administrators, then trigger WordPress's built-in password reset flow to fully take over the targeted account. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-12415 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds, including the Wordfence feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This coverage extends to custom-built WordPress images that bundle the Invoice Generator plugin.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's configured compliance policy to determine breach thresholds and escalation rules. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard finding workflow.

Available
Patch

Because no upstream fix version exists for CVE-2026-12415, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who have opted into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version is published.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.

  • AuthenticationNot required

    The handler is registered under wp_ajax_nopriv, meaning no account or session of any kind is needed to invoke it.

  • Victim interactionNot required

    The attacker acts entirely on their own; no victim needs to click a link or take any action for the account takeover to succeed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker supplies two POST parameters and the plugin performs the update unconditionally, with no race condition or environmental dependency.

Blast Radius

  • The attacker replaces the email address of any WordPress user, including administrators, giving them control over that account's password reset flow.
  • Full administrative access to the WordPress site becomes available, including the ability to install plugins, modify themes, and alter site content.
  • All data accessible to the hijacked account, such as stored customer records, invoice data, and credentials saved in the WordPress database, is exposed to the attacker.
  • The attacker can modify or delete site content, create new administrator accounts, and persist access even after the original account owner notices and changes their password.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-12415, the platform monitors the Wordfence advisory and upstream plugin repository on every ingest cycle and will surface a patched-image rebuild the moment a fix is published. In the interim, compensating controls available to customers include network-policy isolation that restricts public access to WordPress AJAX endpoints (specifically blocking unauthenticated POST requests to wp-admin/admin-ajax.php for the pravel_invoice_edit_account action), egress filtering to limit lateral movement from a compromised WordPress container, and feature-flag or plugin-deactivation gating where the Invoice Generator plugin can be disabled until a fix is available. For customers with auto-remediation enabled, the full rebuild, regression-test, and PR workflow will trigger automatically against affected workloads as soon as an upstream fix version is ingested.

See how HarborGuard automates this
Affected packages
  • pravel / Invoice Generator
    ≤ 1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References