CVE-2024-32518

An unauthenticated attacker can send crafted HTTP requests to the plugin's AJAX handlers or REST API endpoints that lack a `current_user_can()` or similar capability check [CWE-862]. Because the plugin does not verify the user's role or permissions before processing invoice configuration changes or invoice downloads, any remote attacker who can reach the WordPress installation can exploit the missing authorization to alter invoice templates, toggle settings, or access invoice data without authentication.

The PeproDev Ultimate Invoice plugin for WordPress (versions through 2.0.0) fails to enforce authorization checks on invoice-related AJAX actions and REST endpoints, allowing unauthenticated users to modify invoice settings or trigger invoice generation without proper capability verification.

The advisory does not include a published patch diff. The vendor's changelog entries for later versions (v2.2.2 and v2.2.6) reference fixes for "Security Issue CVE-2025-54869" and "Randomized invoice archive filenames and removed files after download," but no specific patch for CVE-2024-32518 is shown. Remediation requires adding WordPress capability checks (e.g., `current_user_can('manage_woocommerce')`) to all invoice AJAX callbacks and REST routes that modify or retrieve invoice data.