The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta — a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.