CVE-2026-8611 Overview
CVE-2026-8611 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the Klamra Paycal for Aspaclaria plugin for WordPress. The flaw affects all versions up to and including 1.1.4. The plugin fails to validate a user-controlled key in the invoice_id parameter when serving invoice downloads. Authenticated attackers with subscriber-level access or higher can enumerate sequential post IDs and download arbitrary customer invoices. The exposed data includes full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
Critical Impact
Authenticated low-privilege users can harvest billing PII from every customer record by iterating through sequential invoice identifiers.
Affected Products
- Klamra Paycal for Aspaclaria plugin for WordPress, versions through 1.1.4
- WordPress sites with subscriber registration enabled and the plugin installed
- E-commerce deployments using the plugin's legacy invoice module
Discovery Timeline
- 2026-06-06 - CVE-2026-8611 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-8611
Vulnerability Analysis
The vulnerability resides in the plugin's legacy invoice download handler. The download.php script in the includes/Modules/Invoices/Legacy/includes/pdf/ directory accepts an invoice_id parameter from the request. The handler retrieves and renders the invoice without verifying that the requesting user owns the referenced invoice. Any authenticated user, including a self-registered subscriber, can substitute another customer's post ID and receive the corresponding invoice PDF.
The rendering logic in render.php at line 72 trusts the supplied identifier and queries the post object directly. No capability check, ownership check, or nonce validation is performed before sensitive data is written to the response body. The result is a direct mapping between a guessable integer and a private billing record.
Root Cause
The root cause is missing authorization on a user-controlled key, classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The plugin treats authentication as authorization, assuming any logged-in user requesting an invoice_id is entitled to that invoice. WordPress post IDs are sequential and trivially enumerable, which makes the missing check directly exploitable at scale.
Attack Vector
An attacker registers a subscriber account on the target WordPress site. The attacker then issues authenticated GET requests to the invoice download endpoint, incrementing the invoice_id parameter through the range of valid post IDs. Each successful response returns the PDF invoice for another customer. The vulnerability requires no user interaction from the victim and operates entirely over the network.
The vulnerability is described in prose because no verified proof-of-concept code has been published. Technical details are available in the Wordfence Vulnerability Report and the WordPress Plugin Changeset.
Detection Methods for CVE-2026-8611
Indicators of Compromise
- Repeated authenticated requests to the plugin's invoice download endpoint with sequentially incrementing invoice_id values from a single session or IP.
- HTTP 200 responses returning PDF content to subscriber-role accounts that have no associated orders.
- Newly created subscriber accounts that immediately begin issuing invoice download requests.
Detection Strategies
- Review WordPress access logs for high-volume GET requests to download.php under the klamra-paycal-for-aspaclaria plugin path, filtered by authenticated session cookies.
- Correlate requesting user IDs against order ownership in the database to identify users downloading invoices they do not own.
- Alert on subscriber-level accounts that retrieve more than a small number of distinct invoice IDs within a short window.
Monitoring Recommendations
- Enable verbose request logging on the web server for plugin-handled URLs and retain logs for forensic review.
- Monitor the wp_users table for spikes in self-service registrations followed by invoice endpoint activity.
- Track outbound bandwidth from the WordPress host for unusual sustained PDF downloads.
How to Mitigate CVE-2026-8611
Immediate Actions Required
- Update the Klamra Paycal for Aspaclaria plugin to a version newer than 1.1.4 once the vendor releases a fixed release.
- Audit existing subscriber accounts and remove any unrecognized or recently created users.
- Review web server logs for prior enumeration activity against the invoice download endpoint and notify affected customers if data exposure is confirmed.
Patch Information
Reference the WordPress Plugin Changeset for the upstream code change. Administrators should apply the latest plugin update from the official WordPress plugin repository. Verify the installed version is greater than 1.1.4 after applying the update.
Workarounds
- Disable the Klamra Paycal for Aspaclaria plugin until a patched version is installed.
- Disable open user registration on the WordPress site to prevent attackers from creating subscriber accounts.
- Deploy a web application firewall rule that blocks unauthenticated and subscriber-level access to the includes/Modules/Invoices/Legacy/includes/pdf/download.php path.
# Example WAF rule to block subscriber access to legacy invoice download endpoint
SecRule REQUEST_URI "@contains /klamra-paycal-for-aspaclaria/includes/Modules/Invoices/Legacy/includes/pdf/download.php" \
"id:1026861101,phase:1,deny,status:403,msg:'Block CVE-2026-8611 IDOR enumeration'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
