mediumCVE-2026-9021

Easy Invoice WordPress Plugin Quote Action Authorization Bypass Vulnerability

The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invoice_decline_quote AJAX actions via wp_ajax_nopriv_ hooks and relying solely on a quote-scoped nonce that is rendered into the publicly accessible single quote template, combined with an ownership check that is gated behind an off-by-default Pro option (easy_invoice_pro_restrict_quote_to_client). This makes it possible for unauthenticated attackers to accept or decline arbitrary published quotes — and, depending on the configured accept action, automatically convert them into invoices (and even email them to the client) — by harvesting the per-quote nonce from the public quote page and submitting it to admin-ajax.

ProductEasy Invoice
CVSS5.3
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Easy Invoice should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Easy Invoice up to and including 2.1.19

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Easy Invoice is affected by CVE-2026-9021. The vulnerable versions allow an attacker to abuse a missing authorization, capability, or nonce check: public quote actions can be accepted or declined without a reliable ownership and capability check. Update or disable the plugin first on public WordPress and WooCommerce sites.

  1. Inventory every WordPress site where Easy Invoice is installed and enabled.
  2. Update Easy Invoice beyond the affected version 2.1.19 when a vendor-fixed release is available.
  3. Disable the plugin temporarily if the affected workflow is exposed and no fixed release is available.
  4. Remove unnecessary subscriber accounts and review recently created low-privilege users.
  5. Restrict the vulnerable AJAX or REST actions with WAF rules until the plugin is patched.
  6. Review WordPress, WooCommerce, and plugin logs for suspicious requests targeting the affected action or order/job/quote identifiers.
  7. Clear page, object, and CDN caches after patching so old localized nonce or JavaScript data is not reused.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Easy Invoice is not running version 2.1.19 or older.
  • Test the affected action as a subscriber or unauthenticated user in staging and confirm the request is rejected.
  • Verify legitimate administrator or shop-manager workflows still work after the update.
  • Review recent content, labels, quotes, orders, or settings for unauthorized changes.
  • Run a Fixnx scan and confirm public WordPress exposure signals have been rechecked.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-9021?

Easy Invoice versions listed as affected should be reviewed: Easy Invoice up to and including 2.1.19.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.