Unauthenticated Account Takeover via Password Reset in Invoice Generator for WordPress

This repository is a small standalone Python exploit/scanner for two WordPress plugin vulnerabilities: CVE-2026-12416 in Invoice Generator <= 1.0.0 and CVE-2026-12417 in SignUp & SignIn <= 1.0.0. The repository contains one main code file, a README describing the vulnerabilities and workflow, and a custom license. The Python script is the operational entry point and implements concurrent mass scanning against a list of target WordPress sites. Core exploit capability: the script abuses unauthenticated WordPress AJAX handlers exposed through /wp-admin/admin-ajax.php using the actions pravel_change_password and pravel_invoice_change_password. It submits reset_user_id, an attacker-chosen new_password_custom value, and an empty reset_activation_code to trigger arbitrary password resets for guessed user IDs. The hardcoded replacement password is Nxploited@123KSa. Operational flow: for each target, the script first probes likely user IDs (1 and 2), then optionally expands to IDs 3 through 20 if needed. After a successful reset indication (matching the success string '"activation":true'), it attempts to determine the corresponding username using WordPress REST API endpoints and author enumeration techniques, then logs in through /wp-login.php. It confirms administrator access by requesting /wp-admin/users.php and checking whether the session has sufficient privileges. Confirmed admin compromises are written to scan_results/pravel_admin_success.txt. Repository structure is simple and purpose-built for exploitation rather than detection. It includes threading support via ThreadPoolExecutor for mass scanning, randomized User-Agent selection, timeout tuning, console output formatting with rich, and synchronized file/result handling. This is a real exploit with post-exploitation validation logic, not merely a detector or README-only proof of concept.