CVE-2019-25746

HIGH

WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25746. PoCs published by Lucian Ioan Nitescu.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in WordPress Sliced Invoices plugin versions below 3.8.2. The PoC uses a time-based SQL injection via the 'post' parameter to confirm exploitation.

Description

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.

Exploits (1)

exploitdb WORKING POC

by Lucian Ioan Nitescu · textwebappsphp

https://www.exploit-db.com/exploits/47540

View Code ZIP pw:eip

This exploit demonstrates an authenticated SQL injection vulnerability in WordPress Sliced Invoices plugin versions below 3.8.2. The PoC uses a time-based SQL injection via the 'post' parameter to confirm exploitation.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Sliced Invoices < 3.8.2

Auth required

Prerequisites: WordPress user credentials · Sliced Invoices plugin < 3.8.2

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-47540

https://www.exploit-db.com/exploits/47540

Product product

Official Product Homepage

https://slicedinvoices.com/

Product product

Product Reference

https://wordpress.org/plugins/sliced-invoices/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

https://www.vulncheck.com/advisories/wordpress-sliced-invoices-sql-injection-via-post-parameter

Scores

CVSS v3 7.1

EPSS 0.0023

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

SlicedInvoices/Sliced Invoices 3.8.2

Published Jun 15, 2026

Tracked Since Jun 15, 2026