CVE-2022-1617

Description

The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them

PUBLISHED Reserved 2022-05-07 | Published 2024-01-16 | Updated 2025-06-11 | Assigner WPScan

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

CWE-79 Cross-Site Scripting (XSS)

Product status

Credits

Mariam Tariq finder

WPScan coordinator

References

wpscan.com/...rability/7e40e506-ad02-44ca-9d21-3634f3907aad/ exploit vdb-entry technical-description

wpscan.com/...rability/7e40e506-ad02-44ca-9d21-3634f3907aad/ exploit vdb-entry technical-description

cve.org (CVE-2022-1617)

nvd.nist.gov (CVE-2022-1617)

Download JSON