## Critical Vulnerability Information ### 1. **Plugin Name** - KirilKirkovPDFInvoices ### 2. **Version** - 1.6 ### 3. **Potential Vulnerabilities** - **Remote Code Execution Risk** - The code contains dynamic class loading and file inclusion operations, such as: ```php if (!class_exists('KirilKirkovWpInvoices\Invoice')) { require 'Includes/Admin/Classes/Invoices/Invoices.php'; } ``` - If class names or file paths are maliciously manipulated, there is a potential risk of remote code execution. - **SQL Injection Risk** - SQL queries in the functions do not fully utilize prepared statements, posing an SQL injection risk: ```php $clients = Clients::getListForSelect(); $data = []; foreach ($clients as $client) { $data[] = array( 'id' => $client->id, 'text' => $client->name ); } wp_send_json($data); ``` ### 4. **File Inclusion** - Contains numerous file inclusion operations, such as: ```php require 'Includes/Admin/Classes/Invoices/CreateInvoice.php'; ``` - If file paths are controllable, this may lead to Local File Inclusion (LFI) vulnerabilities. ### 5. **Lack of Input Validation** - Lacks proper validation and filtering of user inputs, for example: ```php $input = filter_input(INPUT_POST, 'status'); $invoices = Invoices::getById((int)$input['inv_id']); ``` - This may lead to Cross-Site Scripting (XSS) attacks and data tampering. ### 6. **Recommendations** - Conduct a thorough code audit to ensure the security of all dynamic class loading and file inclusion operations. - Implement strict validation and filtering for all user inputs to prevent SQL injection, XSS, and other attacks. - Use prepared statements for all database operations to mitigate SQL injection risks. - Regularly update the plugin to promptly patch known security vulnerabilities.