Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter
Description
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta — a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.0.0
Patches
Vulnerability mechanics
Root cause
"The `pravel_invoice_change_password()` function uses loose equality (`==`) to compare the supplied activation code with the stored meta value, causing `'' == ''` to evaluate as true for any user who never requested a password reset."
Attack vector
An unauthenticated attacker sends a POST request to `wp-admin/admin-ajax.php` with `action=pravel_invoice_change_password`, supplying a target `reset_user_id` (e.g., an administrator's ID) and a chosen `new_password_custom`. By omitting the `reset_activation_code` parameter, the attacker triggers a loose equality comparison (`'' == ''`) against the target user's `forgot_email` user meta, which is empty for users who never requested a password reset. This bypasses the activation code check entirely, allowing the attacker to set a new password and take over any account, including administrators.
Affected code
The vulnerable function is `pravel_invoice_change_password()` in `lib/user-manage-function.php` (around line 296). It is registered as a `wp_ajax_nopriv_` handler with no nonce verification and no authorization check. The critical flaw is the loose equality comparison `$user_side_activation_code == $server_side_activation_code` on line 303, which evaluates to `'' == ''` for any user who has never initiated a forgot-password request.
What the fix does
The patch is not included in the bundle, but the advisory explains that the fix must add nonce verification and authorization checks to the `pravel_invoice_change_password()` AJAX handler, and replace the loose equality operator (`==`) with strict equality (`===`) so that an empty string from a user who never requested a password reset does not match an empty stored meta value. Additionally, the handler should verify that a valid password reset was actually initiated for the target user before allowing a password change.
Preconditions
- networkThe attacker must be able to send POST requests to the WordPress admin-ajax.php endpoint, which is publicly accessible.
- inputThe target user must have never initiated a forgot-password request (so their 'forgot_email' user meta is empty).
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.phpmitre
- plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.phpmitre
- plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/cc0fbe84-e455-4e62-9c48-49340d08f81dmitre
News mentions
0No linked articles in our index yet.