CVE-2024-13719

Name of the Vulnerable Software and Affected Versions PeproDev Ultimate Invoice plugin for WordPress versions up to, and including, 2.0.8

Description The issue concerns an Insecure Direct Object Reference vulnerability in the PeproDev Ultimate Invoice plugin for WordPress. This vulnerability arises due to missing validation on a user-controlled key in the invoicing viewer. As a result, unauthenticated attackers can view invoices for completed orders, potentially accessing personally identifiable information (PII) of users.

Recommendations For versions up to, and including, 2.0.8, update to a version higher than 2.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the invoicing viewer to prevent unauthenticated attackers from viewing invoices for completed orders.