The Permission Check That Wasn't
The WordPress Invoice Generator plugin registers an AJAX handler — wp_ajax_nopriv_pravel_invoice_edit_account — that modifies user account data. The nopriv prefix means WordPress routes unauthenticated requests to it. The handler performs no capability check. No nonce verification. No authentication of any kind. An unauthenticated visitor sends a crafted POST request and becomes administrator.
This is not a complex exploit chain. There is no buffer overflow, no race condition, no memory corruption. The function simply doesn't check whether the caller is authorized. CVSS 9.8 for a missing if-statement.
Plugin Roulette: The Pattern That Never Ends
This is the WordPress plugin security model working exactly as designed. Any developer can publish a plugin. Any plugin can register nopriv AJAX handlers. WordPress does not enforce capability checks at the framework level — each plugin author must implement their own. When they forget, or don't know they should, you get CVE-2026-12415.
Last week, a permission callback that returned true exposed 100,000 sites' live API keys. This week, a nopriv handler with no capability check creates instant admin accounts. The failure mode is identical: WordPress trusts plugin authors to implement security correctly, and plugin authors don't.
The Cost Equation
WordPress scores 45/100 on WebPulse's framework health assessment. Its 18,005 CVEs aren't a historical artifact — they're a prediction of future behavior. The architecture that produced CVE-2026-12415 is the same architecture that will produce CVE-2026-12416. The only question is which plugin, and how many sites are exposed when it happens.
Remove or update the Invoice Generator plugin immediately. Audit all plugins for nopriv AJAX handlers without capability checks. Or ask the question that 18,005 CVEs have been answering for years: is this the platform your business should depend on?
