CVE-2026-12415 (CVSS 9.8) — The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.

A critical vulnerability has been published under CVE-2026-12415, affecting the Invoice Generator plugin for WordPress up to version 1.0. The flaw, rated 9.8 on the CVSS scale, allows privilege escalation through the pravel_invoice_edit_account() AJAX action due to a missing capability check. This means an unauthenticated attacker could exploit the plugin to gain elevated access, potentially compromising the entire WordPress installation and any sensitive data processed through it.

Organizations using the Invoice Generator plugin in their WordPress environments are directly affected. This includes small and medium businesses, e-commerce operators, and any sector relying on WordPress for invoicing or billing operations. Given the plugin’s role in handling financial data, the risk extends to customer records, payment information, and internal accounting systems. Compliance teams should prioritize this as a high-severity data protection risk under frameworks like GDPR or the NIS Directive.

Compliance teams should immediately verify whether the Invoice Generator plugin is installed in any organizational WordPress instance. If so, they must ensure it is updated to a patched version as soon as one is released, or temporarily disable the plugin. Additionally, teams should review access logs for signs of exploitation, and confirm that incident response procedures are ready to address potential data breaches. A vulnerability scan across all WordPress deployments is recommended to identify any other instances of this plugin.