Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
AnalysisAI
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.
Technical ContextAI
This is a missing authorization vulnerability (CWE-862) in a WordPress plugin, which typically means the application performs actions or returns data without verifying whether the user has permission to perform those actions. The vulnerability operates at the access control layer rather than through cryptographic or encoding failures. The Sprout Invoices plugin provides invoicing functionality within WordPress; the broken access control suggests that certain API endpoints or functions that modify invoice data or client information do not properly validate user roles or capabilities before executing sensitive operations. WordPress plugins typically define capabilities and roles through the wp_user_can() function or role-based checks; this plugin appears to be missing such validation on one or more endpoints, potentially allowing any network user to invoke privileged actions.
RemediationAI
Update Client Invoicing by Sprout Invoices to a patched version released after 20.8.10. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-10-broken-access-control-vulnerability for the specific fix version and release date. As a temporary workaround, restrict access to the WordPress admin panel and limit user roles to prevent unauthorized users from invoking plugin functions; however, this does not eliminate the vulnerability if the affected endpoints are publicly accessible. Review WordPress user capabilities and role assignments to ensure only trusted administrators and invoice managers have access to client invoicing features. Test the patched version in a staging environment before deploying to production to confirm no functionality regressions.
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) al
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20205