Attack Vectors

The vulnerability in Invoct – PDF Invoices & Billing for WooCommerce (slug: kirilkirkov-pdf-invoice-manager) affects versions 1.6 and below and is rated Medium severity (CVSS 4.3). It can be exploited over the network by an attacker who already has a valid WordPress login with Subscriber-level access or higher.

In practical terms, this means risk increases when your site allows user registration (even for basic accounts), uses shared or reused credentials, or has many low-privilege users such as customers, partners, contractors, or temporary staff who retain access longer than intended.

Similar Attacks: Information exposure vulnerabilities that leak customer or user data are a common pattern in WordPress ecosystems. Real-world examples include CVE-2023-27372 (Tutor LMS), CVE-2021-29447 (WordPress XXE in media), and CVE-2020-35489 (Contact Form 7).

Security Weakness

CVE-2026-1748 is caused by a missing authorization (capability) check on multiple functions within the plugin. In WordPress terms, the plugin does not properly restrict what lower-privilege authenticated users are allowed to access.

As a result, authenticated users with minimal privileges (Subscriber+) may be able to retrieve invoice clients, invoice items, and a list of WordPress users with their email addresses. Even though the severity is Medium, the nature of the exposed data can create outsized business risk—especially for organizations with regulated data, high-volume customer lists, or strict contractual privacy obligations.

Remediation is straightforward: update Invoct – PDF Invoices & Billing for WooCommerce to version 1.7 or newer, which is the patched release per the published advisory.

Technical or Business Impacts

This issue primarily creates an information exposure risk. If exploited, it may reveal customer-related invoice information and internal user details (including emails). While it does not indicate that payments can be altered or orders can be changed, the exposed data can still be valuable to attackers.

Business impacts can include increased phishing and social engineering against customers and staff (using real names, invoice context, or verified email addresses), reputational damage if customer data is disclosed, and potential compliance or contractual concerns depending on what invoice data is accessible in your environment.

For marketing leaders and executives, the key risk is that leaked customer and user email lists can quickly turn into brand trust erosion, deliverability issues (if attacker-driven spam campaigns leverage your domain’s customer base), and incident response costs. Because exploitation only requires a low-privilege login, organizations with open registration or many user accounts should treat upgrading to Invoct 1.7+ as a priority to reduce exposure.