CVE-2026-2343
Insecure Direct Object Reference in PeproDev Invoice Plugin
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peprodev | ultimate_invoice | to 2.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability CVE-2026-2343 affects the PeproDev Ultimate Invoice WordPress plugin versions up to 2.2.5. It involves the plugin's bulk download invoices feature, which generates ZIP archives containing exported invoice PDFs. These ZIP files are named using a predictable pattern based on the date and timestamp down to the seconds."}, {'type': 'paragraph', 'content': 'Because the ZIP file names are predictable, an attacker can brute force the file names by iterating over possible seconds values (00 to 59) to find and download these archives without needing to authenticate.'}, {'type': 'paragraph', 'content': 'This allows unauthorized access to the ZIP files containing invoices, exposing personally identifiable information (PII) within them.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of sensitive personal information contained in invoice PDFs, such as names, addresses, and other PII.'}, {'type': 'paragraph', 'content': 'An attacker can exploit the predictable ZIP file naming to download these files without authentication, potentially leading to privacy breaches and identity theft.'}, {'type': 'paragraph', 'content': "The exposure of sensitive data can damage your organization's reputation and trustworthiness."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of the predictable ZIP file names generated by the plugin's bulk download invoices feature. The ZIP files follow the format: InvoicesArchive-YYYY_MM_DD_HH_MM_SS.zip."}, {'type': 'paragraph', 'content': 'An attacker can brute force the ZIP file names by iterating over the seconds (00 to 59) in the timestamp and sending HTTP HEAD requests to check if the file exists (indicated by an HTTP 200 OK response).'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can simulate this approach by running commands that send HTTP HEAD requests to the suspected URL pattern with varying seconds values.'}, {'type': 'list_item', 'content': 'Use a curl command in a loop to send HEAD requests, for example in bash:'}, {'type': 'list_item', 'content': 'for i in $(seq -w 00 59); do curl -I -s -o /dev/null -w "%{http_code} %{url_effective}\\n" "https://your-site.com/path/InvoicesArchive-YYYY_MM_DD_HH_MM_${i}.zip" ; done'}, {'type': 'paragraph', 'content': "Replace 'https://your-site.com/path/' and the date/time parts with the appropriate values matching your environment."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the PeproDev Ultimate Invoice WordPress plugin to version 2.2.6 or later, where this vulnerability has been fixed.
Until the update is applied, restrict access to the bulk download invoices feature or the directory where the ZIP files are stored to prevent unauthorized access.
Additionally, monitor your logs for any suspicious requests attempting to access ZIP files with predictable names.