CVE-2026-12416
Deferred Deferred - Pending Action

Account Takeover via Password Reset in Invoice Generator WordPress Plugin

Vulnerability report for CVE-2026-12416, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: Wordfence

Description

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user's stored `forgot_email` user meta β€” a check that trivially evaluates to true (`'' == ''`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pravel invoice_generator to 1.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Invoice Generator plugin for WordPress has a vulnerability that allows an attacker to take over any user account, including administrator accounts, by exploiting the password reset functionality.

This happens because the function handling password resets does not verify the authenticity of the request properly. Specifically, it lacks nonce verification and authorization checks, and it uses a weak comparison between the reset activation code provided and the stored user data.

If a user has never requested a password reset, the check always passes, allowing an attacker to supply any user ID and reset that user's password without needing the activation code.

Compliance Impact

The vulnerability allows unauthenticated attackers to take over any account on the site, including administrator accounts, by resetting passwords without proper authorization checks.

Such unauthorized account takeover can lead to unauthorized access to sensitive personal data, which may result in violations of data protection regulations such as GDPR and HIPAA.

Specifically, the compromise of administrator accounts can lead to full control over the website and its data, increasing the risk of data breaches and non-compliance with security requirements mandated by these standards.

Impact Analysis

This vulnerability can lead to a full account takeover of any user on the affected WordPress site, including administrators.

An attacker can reset the password of any user without authorization, gaining complete control over that account.

With administrator access, the attacker can manipulate the website, steal sensitive data, install malicious code, or disrupt services.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the AJAX handler associated with the Invoice Generator plugin's password reset functionality. Specifically, look for POST requests to the endpoint handling the pravel_invoice_change_password() function that include parameters such as reset_user_id without a reset_activation_code.

Since the vulnerability involves unauthenticated attackers sending crafted POST requests, network or web server logs can be inspected for suspicious password reset attempts that do not include a reset_activation_code or that target administrator user IDs.

No specific commands or detection scripts are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable password reset AJAX handler in the Invoice Generator plugin until a patch is applied.

Ensure that the plugin is updated to a version beyond 1.0.0 once a fix is released, as all versions up to and including 1.0.0 are affected.

As a temporary measure, consider implementing web application firewall (WAF) rules to block unauthenticated POST requests to the vulnerable AJAX endpoint or to require nonce verification and authorization checks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart