CVE-2025-31628

Vulnerability

A Missing Authorization vulnerability exists in the Sliced Invoices WordPress plugin (sliced-invoices) through version 3.10.0. The bug resides in the access control logic, allowing exploitation of incorrectly configured access control security levels. The plugin, which supports WordPress >= 4.0 and PHP >= 5.5, is available from the official WordPress plugin repository [1].

Exploitation

An attacker does not require elevated privileges or authentication to exploit this vulnerability. By leveraging the incorrectly configured access control security levels, an attacker can bypass intended restrictions without any user interaction. The specific network position required is typical web access to the WordPress installation running the vulnerable plugin.

Impact

Successful exploitation leads to unauthorized access to sensitive plugin functionalities. The attacker gains the ability to exploit incorrectly configured access control security levels, potentially resulting in information disclosure or privilege escalation. The exact CIA outcome depends on the specific misconfigured endpoints, but the vulnerability class implies risks to confidentiality and integrity.

Mitigation

The vendor has not yet released a patched version for this vulnerability. As of the publication date 2025-04-01, version 3.10.0 remains the latest version according to the plugin repository [1]. No workarounds are documented in available references. Users should monitor the plugin's update channel for a security fix and consider restricting plugin access via server-side controls until a patch is available.