CVE-2026-12415 pravel CVE debrief

Who should care

Administrators and users of the Invoice Generator plugin for WordPress should be aware of this vulnerability and take immediate action to update to a patched version. Additionally, users with administrative privileges should be cautious of potential attacks that could lead to unauthorized access to their accounts.

Technical summary

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account and accepts attacker-controlled user_id and user_email from POST data. This allows unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL.

Defensive priority

High priority should be given to updating the Invoice Generator plugin to a patched version. Additionally, monitoring for potential attacks and implementing compensating controls, such as limiting the number of password reset requests, can help mitigate the risk.

Recommended defensive actions

• Update the Invoice Generator plugin to a patched version
• Monitor for potential attacks and implement compensating controls
• Limit the number of password reset requests
• Implement additional security measures, such as two-factor authentication
• Regularly review and update plugins and themes

Evidence notes

The CVE record was published on June 27, 2026, and last modified on June 29, 2026. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action.

Official resources