Security Alert Summary
The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 contains a weakness in its bulk download invoices action where generated ZIP archives containing exported invoice PDFs are named predictably. Predictable ZIP filenames can be brute forced, allowing an attacker to retrieve personally identifiable information (PII) from the exported PDFs.
CVE Details
- CVE ID: CVE-2026-2343
- Affected component: PeproDev Ultimate Invoice WordPress plugin
- Affected versions: through 2.2.5
- Published: March 25, 2026 6:16 AM UTC
- Last Modified: March 25, 2026 3:41 PM UTC
- CVSS v3.1: Base Score 5.3 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Authentication / Privileges / User Interaction: No authentication required, privileges required: none, user interaction: none
- Primary impact: Confidentiality: Low; Integrity: None; Availability: None
- CWE: Not specified in the CVE data
Technical Details
According to the CVE description, the plugin exposes a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably, which allows an attacker to enumerate or brute force filenames and retrieve the archives. Because the archive names are predictable, an attacker can automate requests to download ZIP files and extract PDFs that may contain customer or invoice PII.
The issue stems from predictable naming of the exported ZIP files used by the bulk download action; the CVE description does not list specific functions or REST endpoints beyond the bulk download invoices action.
How This Could Impact Your Website
In a typical scenario, a site owner runs the PeproDev Ultimate Invoice plugin to generate customer invoices. Internal staff create invoices and may use the plugin’s bulk download feature to export records for accounting. An external contractor or contributor who has access to parts of the site could inadvertently expose ZIP download links if filenames are predictable. An unauthenticated attacker could script repeated requests for predictable ZIP names and retrieve exported PDFs containing customer names, email addresses, billing details, or other invoice data. This increases the risk of targeted phishing or social engineering against customers whose contact details appear in the exported files.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and access logs for unusual download requests or spikes in archive downloads.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
