CVE-2019-25746

Received Received - Intake

Authenticated SQL Injection in Sliced Invoices WordPress Plugin

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-15

Last Modified

2026-06-15

Generated

2026-06-15

AI Q&A

2026-06-15

EPSS Evaluated

N/A

NVD

CVE-2019-25746

EUVD

EUVD-2019-20182

Affected Vendors & Products

Vendor	Product	Version / Range
sliced_invoices	sliced_invoices	to 3.8.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2019-25746 is an authenticated SQL injection vulnerability in the WordPress plugin Sliced Invoices version 3.8.2. It allows attackers who have authenticated access to the WordPress admin area to inject malicious SQL code through the 'post' parameter when sending requests to the admin.php endpoint with the action 'duplicate_quote_invoice'. This injection can manipulate database queries.

By exploiting this vulnerability, an attacker can extract sensitive information from the database or modify data stored within it.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information and the ability to alter data within the database.

Extraction of sensitive information from the database.
Modification or corruption of database data.
Potential disruption of normal plugin or site operations due to manipulated data.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious requests to the WordPress admin.php endpoint with the action parameter set to duplicate_quote_invoice and unusual or crafted values in the post parameter.

A practical detection method involves sending crafted requests that cause a measurable delay in the server response, indicating SQL injection exploitation attempts.

Example of a crafted request to test for the vulnerability: /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20

If the server response is delayed by approximately 20 seconds, it confirms the presence of the SQL injection vulnerability.

Additionally, tools like sqlmap can be used to automate detection and exploitation attempts to confirm the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating the Sliced Invoices plugin to a version later than 3.8.2 where this vulnerability is patched.

Restrict access to the WordPress admin area to trusted users only, as exploitation requires authenticated access.

Monitor and block suspicious requests targeting the admin.php endpoint with the action=duplicate_quote_invoice parameter and unusual post values.

Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting this specific parameter and endpoint.

Regularly review user privileges to ensure only necessary users have administrative or elevated access.

Compliance Impact

The vulnerability allows authenticated attackers to extract sensitive database information or modify data by exploiting an SQL injection flaw in the WordPress Sliced Invoices plugin.

Such unauthorized access and potential data manipulation could lead to violations of data protection regulations like GDPR or HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability may compromise compliance with these standards by exposing or altering protected data.

Hi! I’m here to help you understand CVE-2019-25746. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25746

Authenticated SQL Injection in Sliced Invoices WordPress Plugin

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart