# Exploit Title: WordPress Plugin WP-Invoice - Stored Cross Site Scripting # Date: 25-04-2022 # Exploit Author: Mariam Tariq - HunterSherlock # Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/ # Version: 4.3.1 # Tested on: Firefox # Contact me: mariamtariq404@gmail.com # Vulnerable Code: ``` wpi.business_name = ''; `` # POC 1. Install the WP-Invoice WordPress plugin and activate it. 2. Go to WP-Invoice settings and inside the Business Name field inject XSS payload “> 3. XSS will trigger and will be stored. ## POC Image https://imgur.com/rsHIEO9