This vulnerability is an Insecure Direct Object Reference issue that allows an attacker to gain access to invoices they should not be able to view. It arises from incorrect or missing authorization checks in the Sliced Invoices plugin. The impact is that an attacker could read, download, or possibly modify sensitive financial documents belonging to other users, compromising confidentiality and potentially integrity of billing information.

The affected product is the WordPress Sliced Invoices plugin from SlicedInvoices, in all releases up to and including version 3.10.0. The entry lists the product name as Sliced Invoices and indicates that any version from the earliest available through 3.10.0 is vulnerable. No specific patch versions are mentioned in the description, but the vulnerability is officially fixed in releases newer than 3.10.0.

The CVSS score of 5.3 indicates a moderate risk level, while the EPSS score of less than 1% suggests that, at the time of publishing, the likelihood of exploitation is low. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is inferred from the IDOR nature of the flaw: an authenticated user with knowledge of invoice identifiers could manipulate request parameters or URLs to access invoices belonging to other users. No additional exploitation prerequisites are mentioned, but standard web authentication is typically required to carry out the attack.