Description
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection flaw that lets an attacker insert arbitrary SQL code through the 'post' parameter on the admin.php endpoint. By forging a request with action=duplicate_quote_invoice and a malicious 'post' value, the attacker can read sensitive tables or alter data. This results in loss of data confidentiality and integrity for the affected WordPress site.

Affected Systems

The vulnerability exists in the Sliced Invoices plugin for WordPress, version 3.8.2. Only systems that have installed this plugin and have authenticated administrators are at risk.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity, although no EPSS score is published and it is not listed in the CISA KEV catalog. Exploitation requires a legitimate admin login; once authenticated, an attacker can craft a POST request to the admin.php page and inject SQL code. Because the attack is locally authenticated, the scope is limited to data within the WordPress database, potentially affecting all stored invoices and quotes. The lack of public exploitation data suggests the vulnerability may not yet be commonly targeted, but the high severity and availability of the injection point warrant immediate attention.

Generated by OpenCVE AI on June 16, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sliced Invoices to the latest version that removes the vulnerable parameter handling
  • Restrict administrator access by ensuring only trusted users have login capability and that multifactor authentication is enabled
  • Deploy a web application firewall or intrusion detection system tuned to block SQL injection patterns on the admin.php endpoint

Generated by OpenCVE AI on June 16, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Slicedinvoices
Slicedinvoices sliced Invoices
Wordpress
Wordpress wordpress
Vendors & Products Slicedinvoices
Slicedinvoices sliced Invoices
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
Title WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Slicedinvoices Sliced Invoices
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T14:49:01.150Z

Reserved: 2026-06-15T11:31:46.498Z

Link: CVE-2019-25746

cve-icon Vulnrichment

Updated: 2026-06-15T14:48:56.309Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:32.517

Modified: 2026-06-15T20:50:47.973

Link: CVE-2019-25746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T03:00:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')