PeproDev Ultimate Invoice WordPress Plugin Unauthenticated Sensitive Data Exposure Vulnerability

A vulnerability in the PeproDev Ultimate Invoice WordPress plugin, affecting versions through 2.2.5, allows for unauthorized access to personal identifiable information (PII). The issue arises from a bulk download invoices feature that creates ZIP files containing exported invoice PDFs. These ZIP files are named in a predictable manner, enabling brute force attacks to retrieve the archived invoices and the sensitive data they contain.

Impact

Exploitation of this vulnerability leads to unauthorized access and disclosure of personal identifiable information (PII) contained in the downloaded invoice PDFs.

Reproduction

To reproduce this vulnerability, an administrator can initiate a bulk download of invoices through the WooCommerce Orders interface. Once the ZIP file is generated, note the date and timestamp. Then, brute force the ZIP file names by replacing the seconds in the timestamp with values from 00 to 59. If a ZIP file is found, it can be downloaded, exposing the sensitive invoice data.

Remediation

Users are advised to update the PeproDev Ultimate Invoice WordPress plugin to version 2.2.6 or later.