Missing Authorization Vulnerability in Easy Invoice Plugin for WordPress
CVE-2026-9021

5.3MEDIUM

What is CVE-2026-9021?

The Easy Invoice plugin for WordPress is susceptible to a Missing Authorization vulnerability that allows unauthenticated attackers to exploit certain AJAX actions. Specifically, the plugin registers easy_invoice_accept_quote and easy_invoice_decline_quote actions without proper access controls, relying only on a nonce that can be harvested from public quote templates. This vulnerability can enable malicious users to accept or decline published quotes and potentially convert them into invoices, with the option to email them to clients, creating significant security risks for affected users.

Affected Version(s)

Easy Invoice – Invoice Generator, PDF Quotes & Payments 0 <= 2.2.19

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PeterPatter
.