CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13719: PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure

5.3 CVSS

Description

The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.

Classification

CVE ID: CVE-2024-13719

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor: peprodev

Product: PeproDev Ultimate Invoice

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.42% (scored less or equal to compared to others)

EPSS Date: 2025-03-20 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/46186f8d-e50c-476a-9480-b6121412474a?source=cve
https://wordpress.org/plugins/pepro-ultimate-invoice/

Timeline

2025-02-20 00:31:06 UTC
CVE

PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure