CVE-2024-13719 MEDIUM

CVE-2024-13719: PeproDev Ultimate Invoice <= 2.0.9 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure

Vendor Peprodev
Product PeproDev Ultimate Invoice
Weakness CWE-862 · Missing authorization
Published February 19, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.

Key dates

02Disclosure timeline

February 19, 2025 CVE published
April 8, 2026 Record updated