CVE-2019-25746
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
The WordPress Sliced Invoices plugin version 3.8.2 contains an authenticated SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
Risk Assessment
This vulnerability poses a risk of sensitive data leakage and unauthorized data modification, which can lead to serious security implications for the organization.
Recommendation
It is recommended to update the Sliced Invoices plugin to the latest version to mitigate this vulnerability and to review logs for potential attack attempts.
Original NVD description (English source)
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.

