CVE-2026-12416
Received Received - Intake
Account Takeover via Password Reset in Invoice Generator WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta β€” a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12416
EUVD
EUVD-2026-38680
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pravel invoice_generator to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Invoice Generator plugin for WordPress has a vulnerability that allows an attacker to take over any user account, including administrator accounts, by exploiting the password reset functionality.

This happens because the function handling password resets does not verify the authenticity of the request properly. Specifically, it lacks nonce verification and authorization checks, and it uses a weak comparison between the reset activation code provided and the stored user data.

If a user has never requested a password reset, the check always passes, allowing an attacker to supply any user ID and reset that user's password without needing the activation code.

Impact Analysis

This vulnerability can lead to a full account takeover of any user on the affected WordPress site, including administrators.

An attacker can reset the password of any user without authorization, gaining complete control over that account.

With administrator access, the attacker can manipulate the website, steal sensitive data, install malicious code, or disrupt services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart