A critical vulnerability in the Pravel Invoice Generator plugin allows unauthenticated attackers to perform full account takeover of any user, including administrators.

The vulnerability exists in the pravel_invoice_change_password() function, which lacks both nonce verification and authorization checks. Because the function utilizes a loose equality comparison for activation codes, an unauthenticated attacker can bypass the reset process to set an arbitrary password for any target account.

Successful exploitation results in full unauthorized administrative control over the affected WordPress site. This leads to complete data compromise, potential distribution of malicious content, and total loss of system integrity. With a CVSS score of 9.8, this flaw represents the highest level of risk to business continuity and data security.

Immediate Action: Immediately update the Pravel Invoice Generator plugin to the latest available patched version.

Proactive Monitoring: Review WordPress user logs for unexpected password changes or the creation of new administrative accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block unauthorized requests to the pravel_invoice_change_password() AJAX endpoint.

Public Exploit Available: No

Given the critical nature of this vulnerability and the ease of exploitation, immediate action is required to prevent unauthorized access. Site administrators must prioritize updating the plugin and auditing user accounts to ensure no unauthorized modifications have occurred.