PeproDev Ultimate Invoice < 2.1.0 – Insecure Direct Object Reference to Unauthenticated Order Information Exposure | CVE 2024-13719 | Plugin Vulnerabilities

Description

The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.

Affects Plugins

pepro-ultimate-invoice

Fixed in 2.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/46186f8d-e50c-476a-9480-b6121412474a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

1aba82fc-f268-47bb-b189-9b263d0eb7f6

Timeline

Publicly Published

2025-02-18 (about 1 year ago)

Added

2025-02-18 (about 1 year ago)

Last Updated

2025-12-11 (about 6 months ago)

Other

Published

Title

Published

2025-12-11

Title

Lottier for WPBakery <= 1.1.7 - Missing Authorization

Published

2025-09-22

Title

Gutentor < 3.5.3 - Missing Authorization

Published

2024-06-06

Title

Album Gallery – WordPress Gallery < 1.5.8 - Missing Authorization

Published

2024-10-21

Title

Rover IDX < 3.0.0.2905 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

Published

2017-09-21

Title

Student Result or Employee Database < 1.6.4 - Auth Bypass