CVE-2024-49298

An authenticated attacker with low privileges can inject malicious JavaScript into input fields that are later rendered in invoice pages viewed by other users. The attack is network-based (AV:N) and requires user interaction (UI:R) from the victim, such as viewing a generated invoice. The stored XSS payload executes in the context of the victim's browser session, allowing the attacker to steal cookies, perform actions on behalf of the victim, or deface invoice content. [CWE-79]

The vulnerability exists in the PeproDev Ultimate Invoice plugin for WordPress (pepro-ultimate-invoice). The advisory does not specify the exact file or function, but the CWE-79 classification indicates that user-controllable input is not properly neutralized before being placed in output served as a web page, leading to stored cross-site scripting.

The patch is not included in the bundle. The advisory references a security fix in version 2.2.6 ("Security Issue Fixed: Randomized invoice archive filenames and removed files after download") but does not describe a specific XSS fix. The changelog for version 2.2.2 mentions "Allowed HTML Tags in Address Display method field" which may be related to the XSS vector. Without a patch diff, the exact remediation cannot be confirmed.