CVE-2026-12415

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel invoice edit account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp ajax nopriv pravel invoice edit account, accepts an attacker-controlled user id and user email from POST data, and calls wp update user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.