Vulnerability Description
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Web Invoice Project | Web Invoice | <= 2.1.3 |
References
- https://bulletin.iese.de/post/web-invoice_2-1-3_2ExploitThird Party Advisory
- https://wpscan.com/vulnerability/218f8015-e14b-46a8-889d-08b2b822f8aeExploitThird Party Advisory
- https://bulletin.iese.de/post/web-invoice_2-1-3_2ExploitThird Party Advisory
- https://wpscan.com/vulnerability/218f8015-e14b-46a8-889d-08b2b822f8aeExploitThird Party Advisory
FAQ
What is CVE-2022-4372?
CVE-2022-4372 is a vulnerability with a CVSS score of 7.2 (HIGH). The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such...
How severe is CVE-2022-4372?
CVE-2022-4372 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-4372?
Check the references section above for vendor advisories and patch information. Affected products include: Web Invoice Project Web Invoice.