Securing Your Invoices
As you may already know, Sliced Invoices has a variety of ways you can protect your invoices, as discussed in our documentation here: https://slicedinvoices.com/support/securing-your-invoices/
If you use the default settings, invoices are accessible to anyone with the link. For most users this is the easiest way to go. You can simply send the link to your client, they can view it and pay it, all with no login required. No muss, no fuss. This is a deliberate feature of Sliced Invoices that has existed since version 1 — over 8 years ago — and is one of the things that makes Sliced Invoices so easy to use.
The downside, however, is that if somebody is clever enough, they might be able to guess the link and find an invoice they weren’t meant to see. For some users this may be a big concern, for others not at all. That’s why we give you options including the ability to password-protect your invoices, mark them private, or use our Secure Invoices Extension which encrypts the links so they cannot be guessed. We also support 3rd-party plugins which can protect certain areas of your site behind a login page.
None of this is new, and none of this has changed since Sliced Invoices was launched. However, we recently received a report from a security researcher who claims to have discovered this “vulnerability” that invoices are, by default, accessible to anyone with the link. In our opinion it’s illogical to claim you’ve discovered a “vulnerability” which is in fact a publicly documented feature. In any case, we have responded to this person and explained our position.
Unfortunately, the security researcher has not responded to our multiple attempts to contact him. We are sending this message to our users now because the “vulnerability report” he created is due to be published tomorrow, and we do not want anyone to be caught off guard.
To be clear, NO ACTION IS NEEDED ON YOUR PART. You may soon get a notification from your security software or host saying something to the effect of “WordPress Sliced Invoices Plugin <= 3.9.3 is vulnerable to Insecure Direct Object References (IDOR)". That's a fancy way of saying someone might guess a link to one of your invoices, if you have not already taken any steps to make it private. Our position is that this is not a real vulnerability, for the reasons just outlined. We think the choice should remain up to our users to decide for themselves the right balance between ease-of-use and privacy, and to choose accordingly from the several options we provide. For more information, please read the page in our documentation, Securing Your Invoices.
If you have any questions, please let us know by either replying to this email, or opening a support ticket on our website here: https://slicedinvoices.com/support-ticket/
Best regards,
The Sliced Invoices Team