Vulnerabilities and security researches forsaskaita123-lt saskaita123-lt
Direction: ascendingJul 11, 2026
Invoice123 # CVE-2026-9857
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 10, 2026
- Research Description
- The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin's API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.
- Affected versions
-
max 1.7.1.
- Status
-
vulnerable