WordPress Sliced Invoices plugin <= 3.9.2 - Broken Access Control vulnerability

Vulnerability

A missing authorization vulnerability exists in the Sliced Invoices WordPress plugin, affecting versions from n/a through 3.9.2 [1]. The plugin fails to properly validate user permissions when accessing certain AJAX endpoints or REST API routes, allowing unauthorized actions such as reading, creating, or editing invoices and quotes without the required privileges.

Exploitation

An unauthenticated attacker needs only network access to the WordPress site running the vulnerable plugin. By sending crafted requests to the affected endpoints, the attacker can enumerate invoices, quotes, and client data, or perform state-changing operations like creating new invoices or modifying existing ones. No authentication or prior knowledge of a valid user session is required [1].

Impact

Successful exploitation results in unauthorized access to sensitive financial data (client names, amounts, status), potential data integrity loss through invoice manipulation, and possible disruption of billing workflows. The attacker gains the ability to read, create, or modify invoice records, which could lead to financial fraud or data breaches. The vulnerability impacts confidentiality and integrity of the affected WordPress site.

Mitigation

The issue is fixed in version 3.10.0 of Sliced Invoices, released on 2025-12-12 [1]. Users should update their plugin to version 3.10.0 or later immediately. No workarounds are documented in the available references. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.