CVE-2026-1748
Unauthorized Access in Invoct WooCommerce Plugin via Missing Capability Check
Publication date: 2026-02-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kiril_kirkov | invoct_pdf_invoices_billing_for_woocommerce | to 1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Invoct β PDF Invoices & Billing for WooCommerce plugin for WordPress is due to a missing capability check on multiple functions in all versions up to and including 1.6.
This flaw allows authenticated attackers with Subscriber-level access or higher to access sensitive data without proper authorization.
Specifically, attackers can retrieve invoice clients, invoice items, and a list of WordPress users along with their email addresses.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as client invoices, invoice items, and user email addresses.
Since even users with minimal privileges (Subscriber-level) can exploit this issue, it increases the risk of data leakage within the WordPress environment.
Such exposure can compromise client confidentiality, damage trust, and potentially facilitate further attacks or phishing attempts using the exposed email addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access due to missing capability checks in the Invoct β PDF Invoices & Billing for WooCommerce plugin, allowing authenticated users with Subscriber-level access and above to retrieve sensitive data.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system, you can monitor for unusual access patterns to the plugin's endpoints or functions that handle invoice clients, invoice items, and user lists."}, {'type': 'paragraph', 'content': 'Since the plugin is a WordPress plugin, detection can include checking web server logs for suspicious requests made by authenticated users with low privileges accessing invoice or user data.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review web server access logs (e.g., using grep) for requests to plugin-related URLs or AJAX handlers.'}, {'type': 'list_item', 'content': 'Use WordPress audit or logging plugins to track access to invoice and user data endpoints.'}, {'type': 'list_item', 'content': 'Check database query logs for unusual SELECT queries on invoice or user tables.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the Invoct β PDF Invoices & Billing for WooCommerce plugin to a version later than 1.6 where the missing capability checks are fixed.
- Restrict user roles and permissions to limit Subscriber-level users from accessing sensitive invoice or user data.
- Temporarily disable or deactivate the plugin if an update is not immediately available.
- Monitor user activity for suspicious access patterns to invoice or user data.