CVE-2026-8611 MEDIUM

CVE-2026-8611: Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter

Vendor Klamra22
Product Klamra Paycal for Aspaclaria
Weakness CWE-639 · IDOR
Published June 6, 2026
Last update June 6, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.

Explanation of Vulnerability in Simple Terms

02Summary

Klamra Paycal for Aspaclaria versions 1.1.4 and earlier contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. The vulnerability requires a valid user account but no additional user interaction. A low-privileged attacker can read confidential data through the affected component.

What an attacker can do

03Attacker Capabilities

Read sensitive information they are not authorized to access.

Potential impact on your site

04Site Impact

User data confidentiality is compromised; unauthorized information disclosure to authenticated users.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated