The wp-invoice plugin prior to 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates.
usabilitydynamics wp-invoice