HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12416Published Modified CNA Wordfence

CVE-2026-12416: Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta — a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass and account takeover vulnerability in the Invoice Generator plugin for WordPress, versions 1.0.0 and below. The flaw is reachable over the network with no credentials required: the plugin registers a password-reset function as a public AJAX handler, performs a loose equality check on an activation code that is empty by default for most users (including administrators), and accepts an arbitrary user ID supplied by the attacker. A successful exploit lets an unauthenticated attacker set the password of any WordPress account to a value they choose, giving them full control of that account. No fix version has been published; HarborGuard tracks the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Wordfence feed, within minutes of publication and matched against all customer images and pipeline artifacts that bundle this plugin, including custom-built WordPress images.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each customer environment's compliance policy to determine escalation priority. Findings can be routed to the appropriate team inbox within the customer organization based on policy configuration.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX endpoint is exposed over the network via the WordPress wp-admin/admin-ajax.php interface, so an attacker must be able to reach the target site over the internet or an accessible network.

  • AuthenticationNot required

    The handler is registered as a nopriv AJAX action, meaning no WordPress account or session of any kind is needed to invoke it.

  • Victim interactionNot required

    The attacker sends a crafted POST request directly to the server; no action from any user or administrator is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the activation code check trivially passes for any user who has never requested a password reset (which covers administrators under normal conditions), requiring only knowledge of a numeric user ID.

Blast Radius

  • The attacker gains the ability to set the password of any WordPress account, including administrator accounts, to an attacker-chosen value, achieving full account takeover.
  • With administrator access, the attacker can read all site content, stored user data, payment records, and any invoice data managed by the plugin.
  • An attacker with administrator access can modify or delete site content, install or alter plugins and themes, and change site configuration.
  • Full WordPress administrator control enables the attacker to render the site unavailable by disabling it, corrupting the database, or removing critical content.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-12416 at this time, the recommended immediate compensating controls include restricting external access to the wp-admin/admin-ajax.php endpoint via network policy or a web application firewall rule that blocks POST requests containing the reset_user_id parameter, and disabling or removing the Invoice Generator plugin from affected WordPress images until a patch is available. HarborGuard monitors the Wordfence advisory and the plugin's release channel on every ingest cycle. The moment a patched version is published, a rebuilt image will become available, and for customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be triggered automatically. For high and critical severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes after a fix version becomes available upstream.

See how HarborGuard automates this
Affected packages
  • pravel / Invoice Generator
    ≤ 1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References