The Invoice Generator plugin for WordPress contains a critical privilege escalation flaw that allows unauthenticated attackers to gain full administrative control over the application.

The plugin fails to perform capability checks or nonce verification on the pravel_invoice_edit_account() AJAX function. This allows an unauthenticated attacker to manipulate user account data via POST requests, facilitating account takeover through the password reset mechanism.

This vulnerability carries a CVSS score of 9.8, reflecting its potential for total system compromise. A successful exploit grants an attacker administrative access, leading to full data exfiltration, modification of financial documentation, and the potential for persistent backdoors within the WordPress environment, resulting in severe reputational and operational damage.

Immediate Action: Update the Invoice Generator plugin to the latest available version immediately to patch the missing capability check.

Proactive Monitoring: Review web server access logs for anomalous POST requests directed at wp-admin/admin-ajax.php involving user account modifications.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or challenge unauthorized AJAX requests targeting the identified vulnerable function.

Public Exploit Available: Unknown

The severity of this flaw cannot be overstated, as it provides a direct path to administrative takeover without authentication. Administrators must prioritize updating the plugin immediately. If an immediate update is not possible, the plugin should be deactivated until the patch is applied to prevent unauthorized access.