CVE advisoryCRITICAL
CVE-2026-12415
WordPress Invoice Generator Plugin Privilege Escalation Vulnerability
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical vulnerability in the WordPress Invoice Generator plugin allows unauthenticated attackers to escalate privileges and take over user accounts, including administrative ones. This is achieved by manipulating an AJAX action to change a user's email address, then initiating a password reset to gain unauthorized a