CVE-2019-25746 HIGH

CVE-2019-25746: WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

Vendor Slicedinvoices
Product Sliced Invoices
Weakness CWE-89 · SQLi
Published June 15, 2026
Last update June 15, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.

Explanation of Vulnerability in Simple Terms

02Summary

Sliced Invoices versions 3.8.2 and earlier contain a SQL injection vulnerability accessible to authenticated users with low privileges. An attacker with a user account can inject malicious SQL commands through unfiltered input, potentially reading or modifying invoice data and other sensitive information stored in the database.

What an attacker can do

03Attacker Capabilities

Read or modify invoice data and other database records by injecting SQL commands.

Potential impact on your site

04Site Impact

Invoice data and other database records could be exposed or altered by any authenticated user.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE