CVE-2026-12416: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in pravel Invoice Generator
The Invoice Generator WordPress plugin (all versions up to and including 1.0.0) contains a critical vulnerability in its password reset mechanism. An unauthenticated attacker can exploit a missing nonce and authorization check in the AJAX password change handler to reset any user's password, including administrators, without a valid reset activation code. This allows full account takeover on affected sites.
AI Analysis
Technical Summary
CVE-2026-12416 describes a critical weakness in the pravel Invoice Generator WordPress plugin's password reset functionality. The function pravel_invoice_change_password() is registered as a no-privilege AJAX handler but lacks nonce verification and authorization checks. It performs a loose equality check between the provided reset_activation_code and the user's stored forgot_email meta, which evaluates to true if the user has never initiated a password reset (empty strings compared). Attackers can omit the reset_activation_code and supply an arbitrary reset_user_id to reset any user's password, enabling full account takeover, including administrators. This vulnerability affects all versions up to and including 1.0.0.
Potential Impact
Successful exploitation allows unauthenticated attackers to reset passwords of any user on the WordPress site running the vulnerable plugin, including administrator accounts. This leads to complete account takeover, compromising confidentiality, integrity, and availability of the affected site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX handler if possible or disable the plugin. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-12416: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in pravel Invoice Generator
Description
The Invoice Generator WordPress plugin (all versions up to and including 1.0.0) contains a critical vulnerability in its password reset mechanism. An unauthenticated attacker can exploit a missing nonce and authorization check in the AJAX password change handler to reset any user's password, including administrators, without a valid reset activation code. This allows full account takeover on affected sites.
CVSS v3.1
Score 9.8critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12416 describes a critical weakness in the pravel Invoice Generator WordPress plugin's password reset functionality. The function pravel_invoice_change_password() is registered as a no-privilege AJAX handler but lacks nonce verification and authorization checks. It performs a loose equality check between the provided reset_activation_code and the user's stored forgot_email meta, which evaluates to true if the user has never initiated a password reset (empty strings compared). Attackers can omit the reset_activation_code and supply an arbitrary reset_user_id to reset any user's password, enabling full account takeover, including administrators. This vulnerability affects all versions up to and including 1.0.0.
Potential Impact
Successful exploitation allows unauthenticated attackers to reset passwords of any user on the WordPress site running the vulnerable plugin, including administrator accounts. This leads to complete account takeover, compromising confidentiality, integrity, and availability of the affected site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX handler if possible or disable the plugin. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-16T16:00:47.462Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7811eed863c81e5f71f8
Added to database: 06/24/2026, 06:24:17 UTC
Last enriched: 06/24/2026, 06:39:58 UTC
Last updated: 06/24/2026, 11:38:54 UTC
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.