Edit Report

Our sensors found this exploit at:

Below is a copy:

WordPress WP-Invoice 4.3.1 Cross Site Scripting
# Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting
# Date: 25-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage:
# Version: 4.3.1
# Tested on: Firefox
# Contact me: [email protected]

# Vulnerable Code:
 wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';

1.  Install the WP-Invoice WordPress plugin and activate it.
2. Go to WP-Invoice settings  and inside the Business Name field inject XSS
payload ><img src=x onerror=alert(1)>
3. XSS will trigger and will be stored.

## POC Image

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.