The PeproDev Ultimate Invoice WordPress plugin, widely used for managing and exporting invoices, contains a critical information exposure vulnerability identified as CVE-2026-2343. The issue exists in the bulk download invoices functionality, which generates ZIP archives containing exported invoice PDFs. These ZIP files are named using a predictable pattern, enabling an attacker to enumerate or brute force the filenames to retrieve these archives without proper authorization. Since the ZIP files contain sensitive personally identifiable information (PII) such as customer names, addresses, and financial details, unauthorized access can lead to significant privacy violations. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized parties. The plugin versions up to 2.2.5 are affected, and no official patch or fix has been released as of the publication date. The lack of authentication or access control on the bulk download feature exacerbates the risk, allowing attackers to automate the retrieval of multiple invoice archives. Although no exploits have been observed in the wild, the predictable naming scheme and the nature of the data involved make this a high-risk vulnerability for organizations relying on this plugin for invoicing and financial record management.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive personal and financial information contained within invoice PDFs. This can lead to privacy breaches, identity theft, financial fraud, and regulatory non-compliance (e.g., GDPR, CCPA). Organizations using the affected plugin risk reputational damage and potential legal consequences due to exposure of customer data. The ease of exploitation through brute forcing predictable filenames means attackers can systematically harvest large volumes of sensitive data. This can also facilitate targeted phishing or social engineering attacks against affected customers. The vulnerability compromises confidentiality but does not directly affect system integrity or availability. However, the loss of trust and potential regulatory fines can have severe operational and financial repercussions for organizations worldwide.

Until an official patch is released, organizations should implement immediate mitigations to reduce risk. These include disabling the bulk download invoices feature if possible, or restricting access to it via strong authentication and IP whitelisting. Implementing web application firewall (WAF) rules to detect and block brute force attempts on ZIP file downloads can help mitigate automated exploitation. Renaming or randomizing ZIP file names server-side to remove predictability is a practical workaround. Monitoring web server logs for unusual access patterns to invoice ZIP files can aid in early detection of exploitation attempts. Organizations should also review and tighten file permissions and access controls on the server hosting invoice archives. Finally, users should be informed about the risk and advised to monitor for suspicious activity related to their invoicing data. Prompt patching once available is critical to fully remediate the vulnerability.