WordPress Plugin Vulnerabilities

PeproDev Ultimate Invoice < 2.2.6 - Unauthenticated Invoice Archive Download

Description

The plugin has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.

Proof of Concept

Affects Plugins

Plugin icon
pepro-ultimate-invoice
Fixed in 2.2.6

References

CVE
CVE-2026-2343

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ashkan Moghaddas
Submitter
Ashkan Moghaddas
Submitter website
https://ultraamooz.com
Verified
Yes
WPVDB ID
ac1572ca-7994-401d-a268-6a8773e60ab1

Timeline

Publicly Published
2026-03-04 (about 25 days ago)
Added
2026-03-04 (about 24 days ago)
Last Updated
2026-03-11 (about 17 days ago)

Other

Published
Title
Published
2024-01-10
Title
Profile Builder Pro < 3.10.1 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
Published
2025-12-04
Title
SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure
Published
2024-04-15
Title
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress < 2.0.74 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Published
2024-04-05
Title
Contact Form Email < 1.3.45 - Unauthenticated Sensitive Information Exposure
Published
2026-01-20
Title
Contact Form & Lead Form Elementor Builder < 2.0.2 - Authenticated (Subscriber+) Information Exposure