7.2
CVE-2022-4372
- EPSS 0.29%
- Veröffentlicht 02.01.2023 22:15:17
- Zuletzt bearbeitet 10.04.2025 18:15:45
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWeb Invoice <= 2.1.3 - Authenticated SQL Injection
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well
Mögliche Gegenmaßnahme
Web Invoice – Invoicing and billing for WordPress: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Web Invoice – Invoicing and billing for WordPress
Version
* - 2.1.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Web Invoice Project ≫ Web Invoice SwPlatformwordpress Version <= 2.1.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.523 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|