CVE-2026-2343

The PeproDev Ultimate Invoice WordPress plugin, versions 2.2.5 and earlier, contains a vulnerability in its bulk download invoices functionality. When an administrator triggers a bulk export, the plugin generates a ZIP archive containing the corresponding invoice PDFs. The filename of this ZIP archive is constructed using a predictable pattern, rather than a random or authenticated token, making it susceptible to enumeration [1].

An attacker can exploit this flaw without any authentication. By simply iterating through possible ZIP filenames (e.g., based on timestamps or sequential IDs), they can download archives that were generated for legitimate administrative actions. No special network position or user interaction is required beyond the ability to send HTTP requests to the WordPress site [1].

Successful exploitation allows an attacker to retrieve invoice PDFs that contain personally identifiable information (PII) of customers, such as names, addresses, and payment details. This constitutes a sensitive data disclosure, potentially violating privacy regulations and exposing affected individuals to identity theft or fraud [1].

The vulnerability has been addressed in version 2.2.6 of the plugin. Users are strongly advised to update immediately. The issue was discovered and reported by researcher Ashkan Moghaddas [1].