CVE-2026-9857
Received Received - Intake

Authorization Bypass in Invoice123 WordPress Plugin

Vulnerability report for CVE-2026-9857, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin's API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
invoice123 plugin to 1.7.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Invoice123 plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.7.0. This means the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with subscriber-level access or higher can exploit this flaw to overwrite the plugin's API key stored in the WordPress options table (wp_options), modify the plugin's invoice settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.

Impact Analysis

This vulnerability allows attackers with relatively low privileges (subscriber-level access) to make unauthorized changes to critical plugin settings and data.

  • They can overwrite the API key used by the Invoice123 plugin, potentially disrupting or hijacking plugin functionality.
  • They can modify invoice plugin settings, which could affect billing or invoicing processes.
  • They can alter WooCommerce tax rate data, potentially causing incorrect tax calculations or financial discrepancies.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart