Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
The vulnerability classified as CWE-94 (Code Injection) allows an attacker to inject and execute malicious code without requiring an account in the WordPress system. A network attack vector (AV:N) with no privilege requirements (PR:N) and no user interaction (UI:N) means the exploit can be performed remotely by anyone with access to the web server. The scope of the vulnerability extends beyond the plugin itself (S:C), indicating the possibility of affecting a broader system context.
An attacker can gain full control over the server — execute arbitrary code, read or modify data (including invoices and customer data), and completely disable the service. The compromise affects confidentiality, integrity, and availability of the system at a critical level.
The Easy Invoice plugin should be updated immediately to a version higher than 2.1.19. Detailed information about the available patch is available in the vendor's references and in the Patchstack database. Until the update is applied, it is recommended to disable or uninstall the plugin.
WordPress Easy Invoice plugin in versions 2.1.19 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H