Missing Authorization Vulnerability in Easy Invoice Plugin for WordPress
CVE-2026-9021
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-9021?
The Easy Invoice plugin for WordPress is susceptible to a Missing Authorization vulnerability that allows unauthenticated attackers to exploit certain AJAX actions. Specifically, the plugin registers easy_invoice_accept_quote and easy_invoice_decline_quote actions without proper access controls, relying only on a nonce that can be harvested from public quote templates. This vulnerability can enable malicious users to accept or decline published quotes and potentially convert them into invoices, with the option to email them to clients, creating significant security risks for affected users.
Affected Version(s)
Easy Invoice β Invoice Generator, PDF Quotes & Payments 0 <= 2.2.19