CVE-2024-13719

The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WordfenceCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
pepropeprodev_ultimate_invoice
𝑥
≤ 2.0.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://wordpress.org/plugins/pepro-ultimate-invoice/
https://www.wordfence.com/threat-intel/vulnerabilities/id/46186f8d-e50c-476a-9480-b6121412474a?source=cve