Home

Description

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin's API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.

PUBLISHED Reserved 2026-05-28 | Published 2026-07-10 | Updated 2026-07-10 | Assigner Wordfence




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-07-09:Disclosed

Credits

Benedictus Jovan (aillesiM) finder

References

www.wordfence.com/...-0462-447f-a639-4f95d5aa27ab?source=cve

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...includes/pages/S123_ApiKey.php

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...includes/pages/S123_ApiKey.php

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...includes/pages/S123_ApiKey.php

plugins.trac.wordpress.org/...pages/S123_InvoiceSettings.php

plugins.trac.wordpress.org/...includes/pages/S123_ApiKey.php

plugins.trac.wordpress.org/...t&new=3594935%40saskaita123-lt

cve.org (CVE-2026-9857)

nvd.nist.gov (CVE-2026-9857)

Download JSON