We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Invoct 6 PDF Invoices & Billing for WooCommerce Vulnerability (CVE-2026-1748)

Nick Paliughi
On this page

Security Alert Summary

The Invoct 6 PDF Invoices & Billing for WooCommerce plugin for WordPress contains a missing capability check on multiple functions in all versions up to and including 1.6. Authenticated users with Subscriber-level access and above can retrieve invoice clients, invoice items, and a list of WordPress users including their email addresses.

CVE Details

  • CVE ID: CVE-2026-1748
  • Affected plugin / component: Invoct 6 PDF Invoices & Billing for WooCommerce plugin for WordPress
  • Affected versions: All versions up to and including 1.6
  • Published: February 11, 2026 at 9:15 AM (UTC)
  • Last modified: February 11, 2026 at 3:27 PM (UTC)
  • CVSS v3.1: Base Score 4.3 — MEDIUM
    Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Subscriber-level and above). No user interaction required.
  • Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
  • CWE: CWE-862 (Missing Authorization)

Technical Details

The vulnerability is caused by a missing capability check on multiple functions within the plugin, which allows authenticated users with low-level privileges to access data they should not be authorized to view. Specifically, the issue exists in the plugin code referenced in KirilKirkovWpInvoices.php (see the provided references pointing to lines in the 1.6 tag). Because the plugin fails to verify required capabilities before returning invoice-related data, Subscriber-level accounts can retrieve invoice clients, invoice items, and a list of WordPress users including email addresses.

The issue does not, in the provided description, reference exploitation of integrity or availability. The primary impact is unauthorized disclosure of information due to missing authorization checks.

How This Could Impact Your Website

Consider a small WooCommerce store where the site owner manages invoices, an internal staff member handles customer service, and an external contractor occasionally assists with order reports. If a contributor or subscriber-level account is present for testing or for a contractor, that account could access invoice clients, invoice items, and the site’s user list with email addresses without additional authorization checks.

Practical consequences include exposure of internal and customer email addresses and order-related metadata, which can increase the risk of targeted phishing or social engineering against staff or customers. The vulnerability does not, based on the provided data, indicate modification of data or denial of service, but it does raise confidentiality concerns for your user and customer information.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Review and reduce unnecessary user roles, especially accounts with Contributor/Subscriber access that do not require access to invoices or user lists.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior or unexpected access to invoice-related endpoints.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Note: The CVE entry indicates the vulnerability and affected versions; it does not specify a fixed or patched version in this entry.

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Pix para Woocommerce WordPress Plugin Vulnerability (CVE-2025-15400)
Next Post
WordPress Security Bulletin: Category Image plugin for WordPress (CVE-2026-0815)