5 matches found
CVE-2022-1617
The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them...
CVE-2022-1617
The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them...
CVE-2022-1617 WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF
The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them...
CVE-2022-1617 WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF
The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them...
CVE-2022-1617
The CVE-2022-1617 entry concerns the WP-Invoice WordPress plugin (versions 4.3.1 and earlier) where missing CSRF protection plus insufficient sanitization/escaping in update settings allows a logged-in administrator to inject stored XSS payloads. Exploitation is demonstrated in multiple sources (...