CVE-2026-12416

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel invoice change password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset activation code POST parameter and the target user's stored forgot email user meta — a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset user id POST parameter, bypass the activation code check entirely by omitting reset activation code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.