PeproDev Ultimate Invoice WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the PeproDev Ultimate Invoice plugin for WordPress, affecting all versions through 2.0.8. The vulnerability arises in the invoicing viewer, where missing validation on a user-controlled key allows unauthenticated attackers to access invoices for completed orders. These invoices may contain personally identifiable information (PII) of users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to invoices containing sensitive user information, including personally identifiable information (PII).

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PeproDev Ultimate Invoice WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating