CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-48836

CVSS 10.0v3.1pub. 2026-06-15

Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-94 (Code Injection) allows an attacker to inject and execute malicious code without requiring an account in the WordPress system. A network attack vector (AV:N) with no privilege requirements (PR:N) and no user interaction (UI:N) means the exploit can be performed remotely by anyone with access to the web server. The scope of the vulnerability extends beyond the plugin itself (S:C), indicating the possibility of affecting a broader system context.

Impact

An attacker can gain full control over the server — execute arbitrary code, read or modify data (including invoices and customer data), and completely disable the service. The compromise affects confidentiality, integrity, and availability of the system at a critical level.

Mitigation & patch

The Easy Invoice plugin should be updated immediately to a version higher than 2.1.19. Detailed information about the available patch is available in the vendor's references and in the Patchstack database. Until the update is applied, it is recommended to disable or uninstall the plugin.

Who is affected

WordPress Easy Invoice plugin in versions 2.1.19 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References