PT-2024-11511 · WordPress · Wp-Invoice
Mariam Tariq
·
Published
2024-01-16
·
Updated
2025-06-11
·
CVE-2022-1617
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP-Invoice WordPress plugin versions 4.3.1 and earlier
Description
The issue is related to the lack of CSRF check when updating settings and insufficient sanitization and escaping in some settings, allowing an attacker to make a logged-in admin change them and add an XSS payload.
Recommendations
For WP-Invoice WordPress plugin versions 4.3.1 and earlier, update to a version that includes the necessary CSRF checks and proper sanitization and escaping of settings to prevent exploitation.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp-Invoice