MEDIUM 4.3

CVE-2026-8611: Klamra Paycal WordPress Plugin IDOR Allows Unauthorized Invoice Access

A WordPress plugin called Klamra Paycal for Aspaclaria contains a flaw that allows authenticated users with subscriber-level permissions to access and download invoices belonging to other customers. The vulnerability stems from insufficient access controls on invoice retrieval—an attacker can simply modify an invoice identifier in a request to view sensitive billing data from any customer, including names, email addresses, phone numbers, order amounts, and internal notes. No special privileges or user interaction are required beyond basic authenticated access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8611 is an Insecure Direct Object Reference (IDOR) vulnerability in the Klamra Paycal for Aspaclaria WordPress plugin (versions ≤1.1.4). The 'invoice_id' parameter used to retrieve invoice records lacks proper authorization validation, allowing attackers to bypass object-level access controls through sequential enumeration. The plugin fails to verify that the requesting user owns or has legitimate access to the invoice before serving the document. This enables horizontal privilege escalation, where a low-privileged authenticated user can access resources belonging to other users at scale.

Business impact

This vulnerability poses a material privacy and compliance risk. Unauthorized access to customer invoices exposes personally identifiable information (name, email, phone) and financial transaction details. Organizations using this plugin may face GDPR, CCPA, or HIPAA violations depending on jurisdiction and data classification, resulting in regulatory fines, mandatory breach notifications, and reputational harm. The low barrier to exploitation—requiring only subscriber-level access—increases likelihood of insider misuse or compromise of low-privilege accounts. Customers may also suffer identity theft or social engineering attacks using harvested billing information.

Affected systems

The Klamra Paycal for Aspaclaria plugin for WordPress is affected in all versions up to and including 1.1.4. Any WordPress installation with this plugin active and with user registration enabled (allowing subscriber-level accounts) is at risk. The vulnerability is accessible to any authenticated user, including those with minimal permissions, making multiuser WordPress deployments and customer-facing sites particularly vulnerable.

Exploitability

This vulnerability is straightforward to exploit. An attacker with subscriber-level access (obtained through registration or account compromise) can craft requests to the invoice download endpoint, incrementing the invoice_id parameter to enumerate and retrieve invoices belonging to arbitrary customers. No authentication bypass, social engineering, or advanced techniques are required. The attack is reliable, repeatable, and leaves minimal evidence if audit logging is not comprehensive. CVSS 3.1 score of 4.3 (MEDIUM) reflects the requirement for prior authentication, but the low complexity and ease of exploitation warrant immediate attention.

Remediation

Affected organizations should immediately update the Klamra Paycal for Aspaclaria plugin to a version that includes authorization checks on invoice retrieval. Verify the latest patched version against the vendor's advisory. As an interim measure, restrict invoice functionality to administrators only via plugin settings if available, or disable the plugin pending a patch. Additionally, audit access logs for unauthorized invoice downloads and review customer notification procedures in the event of potential exposure.

Patch guidance

Check the official plugin repository and vendor security advisories for a patched release addressing this IDOR vulnerability. Update to the earliest available version after 1.1.4 that includes object-level authorization validation on invoice retrieval. Test the patch in a staging environment before production deployment to confirm functionality is preserved. Verify in the changelog that CWE-639 authorization issues have been remediated.

Detection guidance

Monitor invoice download requests for anomalous patterns: sequential invoice ID enumeration, requests from low-privilege accounts accessing invoices outside their ownership scope, and sudden spikes in invoice API calls. Enable and audit WordPress user activity logs, focusing on plugin interactions and file downloads. Implement Web Application Firewall (WAF) rules to detect repeated failed authorization responses or suspicious parameter manipulation on invoice endpoints. Review access logs for invoice endpoints, comparing user role/capability against accessed resource ownership.

Why prioritize this

Although CVSS 4.3 is rated MEDIUM, this vulnerability warrants higher priority due to: (1) direct exposure of sensitive PII and financial data with no complexity barrier; (2) low friction exploitation requiring only common subscriber access; (3) high likelihood of intentional abuse by insiders or compromised low-privilege accounts; (4) regulatory compliance exposure (GDPR, CCPA, etc.); and (5) potential for rapid, undetected enumeration of customer data at scale. Organizations handling customer payment information should prioritize patching within days, not weeks.

Risk score, explained

CVSS 3.1 assigns 4.3 (MEDIUM) based on: Network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for low-level authentication (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and low confidentiality impact (C:L). The score does not account for the volume and sensitivity of exposed data, the practical ease of exploitation, or organizational compliance obligations, all of which elevate business risk above the numeric severity. Organizations should consider local risk context and regulatory environment when setting internal priority.

Frequently asked questions

Who is impacted by this vulnerability?

Any organization running WordPress with the Klamra Paycal for Aspaclaria plugin (version 1.1.4 or earlier) and with user registration enabled. The vulnerability is exploitable by any authenticated user, including those with minimal subscriber-level permissions. Multiuser WordPress sites and e-commerce platforms are at highest risk.

What is an Insecure Direct Object Reference (IDOR)?

An IDOR occurs when an application uses user-supplied input to directly reference database objects or resources without adequate authorization checks. Attackers can modify parameters (like invoice IDs) to access resources belonging to other users. This is a horizontal privilege escalation technique requiring only valid authentication, not elevated permissions.

Can I temporarily protect my site without patching?

As interim steps: (1) restrict invoice functionality to administrators only if plugin settings permit, (2) disable the plugin entirely pending patch availability, (3) implement firewall rules blocking suspicious invoice API patterns, and (4) audit recent invoice downloads for unauthorized access. These are temporary measures only; patching is required for complete remediation.

Do I need to notify customers if this vulnerability was present on my site?

If the plugin was active and user registration was enabled, unauthorized invoice access may have occurred. Review access logs to assess exposure. Depending on your jurisdiction and data classification, you may be obligated to provide breach notification to affected customers under GDPR, CCPA, or similar regulations. Consult legal counsel and your incident response procedures.

This analysis is provided for informational and defensive security purposes. No exploit code or weaponized proof-of-concept procedures are included. Organizations should verify patch availability and version numbers against official vendor advisories before deployment. The CVSS score and severity classifications are sourced from the National Vulnerability Database and represent technical factors only; organizational risk may differ based on deployment context, data sensitivity, and regulatory obligations. Testing should be conducted in controlled environments before production patching. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).