CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them...

6.1CVSS6AI score0.0013EPSS

Exploits2References1

RedhatCVE•added 2025/05/22 2:27 a.m.•4 views

CVE-2016-11009

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpiinterkassa payer metadata updates...

5.3CVSS7.1AI score0.00228EPSS

Exploits1References1

RedhatCVE•added 2025/05/22 1:31 a.m.•5 views

CVE-2016-11010

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpitwocheckout payer metadata updates...

5.3CVSS7.1AI score0.00249EPSS

Exploits1References1

RedhatCVE•added 2025/05/22 12:53 a.m.•6 views

CVE-2016-11007

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpiuserid for invoice retrieval...

5.3CVSS7.1AI score0.00319EPSS

Exploits1References1

Positive Technologies•added 2024/01/16 12:0 a.m.•1 views

PT-2024-11511 · WordPress · Wp-Invoice

Name of the Vulnerable Software and Affected Versions: WP-Invoice WordPress plugin versions 4.3.1 and earlier Description: The issue is related to the lack of CSRF check when updating settings and insufficient sanitization and escaping in some settings, allowing an attacker to make a logged-in...

6.1CVSS5.9AI score0.0013EPSS

Exploits2References6

WPVulnDB•added 2022/04/27 12:0 a.m.•9 views

WP-Invoice <= 4.3.1 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attacker to make a logged in admin update them and change the minimum role allowed to access the plugin's features to subscriber for example, which would make invoices available to any authenticated users P...

4.4AI score

Exploits0Affected Software1

NVD•added 2019/09/20 3:15 p.m.•9 views

CVE-2016-11010

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpitwocheckout payer metadata updates...

5.3CVSS5.5AI score0.00249EPSS

Exploits1References3

NVD•added 2019/09/20 3:15 p.m.•8 views

CVE-2016-11006

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admininit settings changes...

5.3CVSS5.5AI score0.00228EPSS

Exploits1References3

Prion•added 2019/09/20 3:15 p.m.•7 views

Privilege escalation

The wp-invoice plugin before 4.1.1 for WordPress has wpiupdateuseroption privilege escalation...

4CVSS7.3AI score0.0016EPSS

Exploits1References3Affected Software1

Prion•added 2019/09/20 3:15 p.m.•12 views

Design/Logic Flaw

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpitwocheckout payer metadata updates...

5CVSS7.2AI score0.00249EPSS

Exploits1References3Affected Software1

Prion•added 2019/09/20 3:15 p.m.•9 views

Improper access control

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpiinterkassa payer metadata updates...

5CVSS7.2AI score0.00228EPSS

Exploits1References3Affected Software1

CVE•added 2019/09/20 2:46 p.m.•48 views

CVE-2016-11010

The CVE-2016-11010 entry concerns the WordPress WP-Invoice plugin, affected in versions before 4.1.1. The root cause is incorrect access control over wpi_twocheckout payer metadata updates, enabling potential unauthorized updates to payer data. Public documentation in the provided sources confirm...

5.3CVSS5.4AI score0.00249EPSS

Exploits1References3Affected Software1