WordPress Plugin Vulnerabilities

PeproDev Ultimate Invoice < 1.9.8 - Unauthenticated Arbitrary Invoice Access

Description

The plugin is vulnerable to Sensitive Information Exposure via the 'init_plugin' function. This makes it possible for unauthenticated attackers to generate PDF or ZIP files of arbitrary invoices and extract sensitive data.

Affects Plugins

Plugin icon
pepro-ultimate-invoice
Fixed in 1.9.8

References

CVE
CVE-2024-25933
URL
https://patchstack.com/database/vulnerability/pepro-ultimate-invoice/wordpress-peprodev-ultimate-invoice-plugin-1-9-7-sensitive-data-exposure-vulnerability

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
71f8a2de-1dc5-4919-a67e-93cdcbf46e99

Timeline

Publicly Published
2024-02-20 (about 2 years ago)
Added
2024-02-23 (about 2 years ago)
Last Updated
2024-04-01 (about 2 years ago)

Other

Published
Title
Published
2025-12-21
Title
Eight Day Week Print Workflow < 1.2.6 - Authenticated (Custom+) Information Exposure
Published
2022-10-24
Title
Phone Orders for WooCommerce < 3.7.2 - Subscriber+ Sensitive Data Exposure
Published
2025-01-13
Title
Event monster < 1.4.4 - Information Exposure Via Visitors List Export
Published
2025-12-26
Title
Booking Ultra Pro <= 1.1.23 - Authenticated (Subscriber+) Information Exposure
Published
2025-12-21
Title
Contact Form 7 Extension For Mailchimp < 0.9.69 - Authenticated (Contributor+) Information Exposure