CVE-2019-25746

EUVD-2019-20182
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulnCheckCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
slicedinvoicessliced_invoices
3.8.2
CNA
Common Weakness Enumeration
References
https://slicedinvoices.com/
https://wordpress.org/plugins/sliced-invoices/
https://www.exploit-db.com/exploits/47540
https://www.vulncheck.com/advisories/wordpress-sliced-invoices-sql-injection-via-post-parameter