CVE-2023-4160 in WooCommerce PDF Invoice Builder Plugininfo

Summary

by MITRE • 08/31/2023

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.2.90 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/10/2026

The vulnerability identified as CVE-2023-4160 resides within the WooCommerce PDF Invoice Builder plugin for WordPress, representing a critical stored cross-site scripting flaw that undermines the security posture of affected installations. This vulnerability specifically targets the plugin's admin settings functionality and affects versions up to and including 1.2.90, creating a persistent threat vector that can be exploited by attackers with administrator-level privileges or higher. The flaw manifests through insufficient input sanitization and inadequate output escaping mechanisms, allowing malicious actors to inject malicious scripts that will execute whenever any user accesses pages containing the injected content.

The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user inputs within its administrative configuration interface. When administrators configure the plugin settings, the system does not adequately validate or escape the data entered, creating an environment where malicious scripts can be stored persistently within the application's database. This stored payload remains dormant until accessed by other users, making it particularly dangerous as it can affect multiple victims over time. The vulnerability is specifically contextualized to multi-site WordPress installations where unfiltered_html has been disabled, indicating that the attack surface is constrained by specific environmental configurations but remains significant within those contexts.

From an operational perspective, this vulnerability presents a severe risk to WordPress environments utilizing the affected WooCommerce plugin, particularly in multi-site configurations where administrative privileges are distributed across multiple users. The attack requires only an authenticated administrator-level account to execute successfully, making it accessible to both internal malicious actors and external threat groups that have gained administrative credentials through other means. The persistent nature of stored XSS means that once the malicious script is injected, it will execute automatically for any user who accesses affected pages, potentially leading to session hijacking, credential theft, or further compromise of the WordPress installation. The impact extends beyond immediate script execution to potential privilege escalation and data exfiltration scenarios.

Mitigation strategies for CVE-2023-4160 should prioritize immediate plugin version updates to the latest secure release, as this addresses the core sanitization and escaping deficiencies. Organizations should also implement strict input validation measures and ensure that administrative accounts maintain the principle of least privilege, limiting the potential impact of credential compromise. Network monitoring and web application firewalls can provide additional detection layers for suspicious script injection patterns, while regular security audits should verify that all plugin components properly sanitize and escape user inputs. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a clear violation of ATT&CK technique T1548.001 related to privilege escalation through administrative access. Organizations should also consider implementing content security policies and regular security assessments to prevent similar vulnerabilities from emerging in other plugin components or custom-developed WordPress functionality.

Responsible

Wordfence

Reservation

08/04/2023

Disclosure

08/31/2023

Moderation

accepted

CPE

ready

EPSS

0.00412

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!