CVE-2026-2343 is a medium-severity information exposure vulnerability affecting the PeproDev Ultimate Invoice WordPress plugin up to version 2.2.5. The plugin includes a bulk download invoices feature that creates ZIP archives containing exported invoice PDFs. These ZIP files are named using a predictable pattern, which enables an unauthenticated attacker to brute force the ZIP file names and download sensitive invoice documents. The exposed invoices contain personally identifiable information (PII), such as customer names, addresses, and transaction details, leading to a confidentiality breach (CWE-200). The vulnerability does not affect the integrity or availability of the system and requires no authentication or user interaction, making exploitation relatively straightforward over the network. Although no public exploits have been reported, the predictable naming scheme presents a significant risk for automated attacks. The vulnerability was published on March 25, 2026, with a CVSS v3.1 base score of 5.3, reflecting network attack vector, low attack complexity, no privileges required, and no user interaction needed. The lack of patches or updates at the time of reporting means organizations must apply compensating controls to mitigate risk.

The primary impact of CVE-2026-2343 is unauthorized disclosure of sensitive customer information contained in invoice PDFs, including PII such as names, addresses, and transaction details. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential identity theft or fraud against affected individuals. Since the vulnerability can be exploited remotely without authentication or user interaction, attackers can automate brute force attacks to harvest large volumes of sensitive data. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have severe consequences for organizations handling sensitive financial data. Businesses using the PeproDev Ultimate Invoice plugin in e-commerce, finance, or service sectors are particularly at risk. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant threat if weaponized.

To mitigate CVE-2026-2343, organizations should first verify if they use the PeproDev Ultimate Invoice plugin and identify affected versions up to 2.2.5. Since no official patches are available, immediate steps include: 1) Restrict access to the bulk download functionality by enforcing authentication and authorization controls to ensure only legitimate users can generate and download invoice ZIP files. 2) Implement unpredictable, randomized naming conventions for ZIP archives to prevent brute force enumeration of file names. 3) Monitor web server logs for unusual or repeated access attempts indicative of brute force attacks targeting ZIP files. 4) Employ web application firewalls (WAFs) with rules to detect and block automated requests attempting to enumerate invoice files. 5) Consider disabling the bulk download feature temporarily if it cannot be secured. 6) Educate staff and users about the risk and encourage prompt reporting of suspicious activity. Finally, maintain vigilance for plugin updates or patches from PeproDev and apply them promptly once available.