VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 15, 2026

CVE-2019-25746

CVE-2019-25746

Description

WordPress Sliced Invoices ≤3.8.2 has an authenticated SQL injection in the duplicate_quote_invoice action via the post parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress Sliced Invoices ≤3.8.2 has an authenticated SQL injection in the duplicate_quote_invoice action via the post parameter.

Vulnerability

WordPress Sliced Invoices versions 3.8.2 and earlier contain an authenticated SQL injection vulnerability. The flaw resides in the admin.php endpoint, specifically in the duplicate_quote_invoice action. An attacker can inject arbitrary SQL code through the post parameter, which is not properly sanitized before being used in a database query. This vulnerability requires the attacker to have an authenticated WordPress user account.

Exploitation

An authenticated attacker with a WordPress user account can send a crafted HTTP request to admin.php?action=duplicate_quote_invoice with a malicious post parameter value. For example, appending and (select*from(select(sleep(20)))a)--%20 to the post parameter causes a 20-second delay, confirming SQL injection. Tools like sqlmap can automate exploitation to enumerate the database or execute arbitrary SQL statements [4].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the WordPress database, including user credentials, post content, and other stored data. The attacker can also modify database records, potentially escalating privileges or altering application behavior. The CVSS v3 base score is 7.1 (High), reflecting low attack complexity and network access [3].

Mitigation

The vendor has not released a patched version as of the publication date. The advisory indicates that versions 3.8.2 and earlier are affected [3]. Users should upgrade to a patched version if and when it becomes available, or restrict access to the admin.php endpoint and ensure that only trusted, authenticated users have accounts. No official mitigation or workaround has been provided in the available references.

References
  1. WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter
  2. OffSec’s Exploit Database Archive

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `post` parameter is directly interpolated into an SQL query without sanitisation or parameterisation, enabling authenticated SQL injection."

Attack vector

An attacker with a valid WordPress user account sends a crafted GET request to `/wp-admin/admin.php?action=duplicate_quote_invoice&post=...` . The `post` parameter is injected with SQL payloads—for example `8%20and%20(select*from(select(sleep(20)))a)--%20` causes a 20-second delay, confirming execution [ref_id=1]. This allows the attacker to extract or modify data via sqlmap or manual injection. [CWE-89]

Affected code

The authenticated SQL injection resides in the `admin.php` endpoint when the `duplicate_quote_invoice` action is invoked. The vulnerable `post` parameter is passed directly into a database query without sanitization or parameterisation.

What the fix does

The advisory does not provide a patch diff. To remediate, the plugin must use prepared statements or properly escape/sanitize the `post` parameter before it enters any SQL query. The vendor released version 3.8.2 as the first unaffected version, implying the fix involved parameterised queries or input validation at that endpoint [ref_id=1].

Preconditions

  • authAttacker must have a valid WordPress user account (any role that can reach admin.php).
  • configThe Sliced Invoices plugin version must be lower than 3.8.2.
  • networkThe target WordPress instance must be network-accessible.
  • inputAttacker supplies malicious SQL content in the 'post' HTTP GET parameter.

Reproduction

As a logged-in WordPress user, visit `http://<target>/wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20`. A 20-second delay in the HTTP response confirms the SQL injection is exploitable [ref_id=1].

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.