{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1748", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-01T21:20:38.295Z", "datePublished": "2026-02-11T08:26:26.044Z", "dateUpdated": "2026-04-08T17:02:15.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:15.050Z"}, "affected": [{"vendor": "kirilkirkov", "product": "Invoct \u2013 PDF Invoices & Billing for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Invoct \u2013 PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails."}], "title": "Invoct \u2013 PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79e4b7e1-9fff-4ff2-be2b-6dfa5f1ff48a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L585"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L605"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.7/KirilKirkovWpInvoices.php#L565"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}, {"lang": "en", "type": "finder", "value": "Teerachai S."}], "timeline": [{"time": "2026-01-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-10T20:09:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:06.860726Z", "id": "CVE-2026-1748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:44:51.934Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:06.860726Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:07.562Z"}}], "cna": {"title": "Invoct \u2013 PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}, {"lang": "en", "type": "finder", "value": "Teerachai S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "kirilkirkov", "product": "Invoct \u2013 PDF Invoices & Billing for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-10T20:09:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79e4b7e1-9fff-4ff2-be2b-6dfa5f1ff48a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L565"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L585"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L605"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.7/KirilKirkovWpInvoices.php#L565"}], "descriptions": [{"lang": "en", "value": "The Invoct \u2013 PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:15.050Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1748", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:15.050Z", "dateReserved": "2026-02-01T21:20:38.295Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T08:26:26.044Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Invoct \u2013 PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails."}, {"lang": "es", "value": "El plugin Invoct \u2013 PDF Invoices &amp; Billing for WooCommerce para WordPress es vulnerable a acceso no autorizado a datos debido a una comprobaci\u00f3n de capacidad faltante en m\u00faltiples funciones en todas las versiones hasta la 1.6, ambas inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, recuperen clientes de facturas, elementos de facturas y la lista de usuarios de WordPress junto con sus correos electr\u00f3nicos."}], "id": "CVE-2026-1748", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T09:15:51.523", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L565"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L585"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L605"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.6/KirilKirkovWpInvoices.php#L626"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirilkirkov-pdf-invoice-manager/tags/1.7/KirilKirkovWpInvoices.php#L565"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79e4b7e1-9fff-4ff2-be2b-6dfa5f1ff48a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6]"}}], "product": "invoct_\u2013_pdf_invoices_&_billing_for_woocommerce", "vendor": "kirilkirkov"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T21:11:52.164978+00:00", "value": {"mitigation_remediation": ["Check for an updated version of the Invoct \u2013 PDF Invoices & Billing for WooCommerce plugin that addresses the missing authorization checks, and upgrade if available.", "If an upgrade cannot be performed immediately, deactivate or delete the plugin from the live site to prevent data exposure.", "Restrict billing and invoice endpoints to administrators or shop\u2011manager roles by adjusting capability settings or applying a role\u2011management plugin, ensuring that Subscriber\u2011level accounts cannot access sensitive data."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems are the Invoct \u2013 PDF Invoices & Billing for WooCommerce WordPress plugin from vendor kirilkirkov, with all releases up to version 1.6. No other products are reported as affected.", "description_and_impact": "The vulnerability in the Invoct \u2013 PDF Invoices & Billing for WooCommerce plugin arises from a missing capability check on several functions across all versions up to 1.6. Authenticated users with a Subscriber role or higher can invoke these functions and retrieve sensitive data, including invoice client details, line item information, and a full list of WordPress users with their email addresses. This constitutes a direct information disclosure that could support phishing, credential stuffing, or further lateral movement within the site. The weakness is identified as CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "The CVSS v3.1 score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% shows a very low likelihood of current exploitation. The flaw is not listed in the CISA KEV catalog, implying no confirmed public exploits. Attackers must be authenticated, holding at least a Subscriber role, limiting initial reach but still allowing harvesting of confidential customer and user details once authenticated. Prompt patching, coupled with monitoring for unauthorized data extraction, mitigates this risk effectively."}}}}, "created": "2026-02-11T21:46:02.997245+00:00", "updated": "2026-04-15T21:15:13.585886+00:00", "vendors": ["kirilkirkov", "kirilkirkov$PRODUCT$invoct_\u2013_pdf_invoices_&_billing_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}