Security Bulletin for 29 June 2026: Critical Unauthenticated Account Takeover in the Invoice Generator Plugin, an Authorization Flaw in ProfilePress and Stored Cross-Site Scripting in the SiteOrigin Page Builder

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. From the vulnerabilities published over the past few days, for 29 June 2026 we highlight three: a critical account takeover that can be carried out entirely without a login, plus two flaws in widely used plugins for which a corrected version is already available.

CVE-2026-12415 — Unauthenticated Account Takeover in the Invoice Generator Plugin (critical)

The Invoice Generator plugin for WordPress, which creates invoices inside WordPress, contains a critical vulnerability in all versions up to and including 1.0.0 that can be exploited entirely without a login. The cause is that the AJAX endpoint responsible for editing account data (pravel_invoice_edit_account) is additionally exposed through the unauthenticated nopriv variant and performs no authorization check whatsoever. As a result, an attacker without any valid account can change the stored email address of any user — including an administrator — to an address they control, and then request a login link via the regular password reset function. In this way they gain full control of the account and thus of the site. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-269 (improper privilege management). At the time of writing the database lists no corrected version; operators who use the plugin should therefore deactivate and remove it immediately until an update is released.

Sources: National Vulnerability Database — CVE-2026-12415

CVE-2026-10820 — Authorization Flaw (IDOR) in the ProfilePress Membership Plugin (high)

ProfilePress — in full “Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content” — which provides registration, login, profiles and paid memberships on WordPress sites, contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions before 4.16.17. Because the plugin processes a user-controlled key without sufficiently checking whether the caller is actually authorized for the object being addressed, an already logged-in user holding the low “Subscriber” role can cancel other users’ memberships and subscriptions. Since many sites allow subscribers to self-register, the bar required for this is often low in practice. The National Vulnerability Database assigns a CVSS score of 8.1, classifies the flaw as high and assigns it to weakness class CWE-639 (authorization bypass through a user-controlled key). The vulnerability is fixed in version 4.16.17, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-10820 · WPScan advisory

CVE-2026-13295 — Stored Cross-Site Scripting in the SiteOrigin Page Builder (medium)

The SiteOrigin Page Builder, for years one of the most widely used tools for building WordPress layouts, contains a stored cross-site scripting flaw in all versions up to and including 2.34.3. Because the page content supplied via the panels_data parameter is neither adequately sanitized on saving nor escaped on later output, an already logged-in user holding the “Contributor” role can plant malicious code that is subsequently executed in the browsers of other users as soon as they open the affected page. The National Vulnerability Database assigns a CVSS score of 6.4, classifies the flaw as medium and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 2.34.4; operators should update promptly.

Sources: National Vulnerability Database — CVE-2026-13295 · Wordfence — SiteOrigin Page Builder

Not sure whether you’re affected? Get in touch.

---

This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.