CVE-2019-25746 HIGH

CVE-2019-25746: WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

Vendor Slicedinvoices

Product Sliced Invoices

Weakness CWE-89 · SQLi

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated