CVE-2022-1617: 
WordPress vulnerability analysis and mitigation

The WP-Invoice WordPress plugin through version 4.3.1 contains a security vulnerability identified as CVE-2022-1617. The vulnerability was discovered and reported by Mariam Tariq, and was publicly disclosed on April 25, 2022. The issue affects the plugin's settings update functionality, which lacks proper CSRF protection and input sanitization (WPScan).

The vulnerability combines Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) issues. The plugin fails to implement CSRF checks when updating settings and lacks proper sanitization and escaping mechanisms. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. It is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

An attacker can exploit this vulnerability to make a logged-in administrator unknowingly change plugin settings and inject XSS payloads. This could lead to stored cross-site scripting attacks, potentially compromising the security of the WordPress installation (WPScan).

Currently, there is no known fix available for this vulnerability in the WP-Invoice plugin. Website administrators using affected versions (4.3.1 and below) should consider either removing the plugin or implementing additional security measures such as web application firewalls (WPScan).