What the vulnerability does
01Description
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
Explanation of Vulnerability in Simple Terms
02Summary
Sliced Invoices versions 3.8.2 and earlier contain a SQL injection vulnerability accessible to authenticated users with low privileges. An attacker with a user account can inject malicious SQL commands through unfiltered input, potentially reading or modifying invoice data and other sensitive information stored in the database.
What an attacker can do
03Attacker Capabilities
Read or modify invoice data and other database records by injecting SQL commands.
Potential impact on your site
04Site Impact
Invoice data and other database records could be exposed or altered by any authenticated user.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated