Headline
WordPress WP-Invoice 4.3.1 Cross Site Scripting
WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.
# Exploit Title: WordPress Plugin WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: [email protected]# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1. Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9
Related news
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.
WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.
Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.
SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.
Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.