Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Stored XSS.This issue affects Sprout Clients: from n/a through <= 3.2.2.
AnalysisAI
BoldGrid Sprout Clients contains a Stored Cross-Site Scripting (XSS) vulnerability in web page generation that allows authenticated users to inject and execute arbitrary JavaScript. The vulnerability affects Sprout Clients version 3.2.2 and earlier, enabling attackers with login credentials to compromise other users viewing affected pages. While the CVSS score of 6.5 indicates medium severity with network accessibility and low attack complexity, the stored nature of the XSS and requirement for user interaction (UI:R) limits immediate widespread automated exploitation.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic server-side input validation failure where untrusted user input is rendered directly into HTML/JavaScript contexts without proper sanitization or encoding. The BoldGrid Sprout Clients product (identifiable via CPE cpe:2.3:a:boldgrid:sprout-clients) is a WordPress-related hosting and web management platform that generates dynamic web pages. The root cause involves the web page generation mechanism failing to sanitize HTML/JavaScript in user-controlled inputs, allowing stored payloads to execute in victims' browsers with the privileges of the authenticated session. This is particularly dangerous in platform-as-a-service contexts where multiple users share infrastructure.
RemediationAI
Upgrade BoldGrid Sprout Clients to version 3.2.3 or later immediately, as this patch should contain input sanitization fixes addressing CWE-79. Until patches can be deployed, implement compensating controls by enforcing HTML entity encoding on all user inputs before rendering in web pages, implementing Content Security Policy (CSP) headers to restrict script execution, and conducting input validation on all form submissions. Additionally, restrict administrative access to trusted IP ranges, enable audit logging for content modifications, and consider temporarily disabling user-editable content features if feasible. Review BoldGrid's official security advisory for detailed patch notes and verify patch applicability to your specific deployment configuration.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11953