What the vulnerability does
01Description
The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
Explanation of Vulnerability in Simple Terms
02Summary
Klamra Paycal for Aspaclaria versions 1.1.4 and earlier contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. The vulnerability requires a valid user account but no additional user interaction. A low-privileged attacker can read confidential data through the affected component.
What an attacker can do
03Attacker Capabilities
Read sensitive information they are not authorized to access.
Potential impact on your site
04Site Impact
User data confidentiality is compromised; unauthorized information disclosure to authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges.
Key dates
06Disclosure timeline
June 6, 2026
CVE published
June 6, 2026
Record updated