Skip to main content

Client Invoicing By Sprout Invoices CVE-2026-39562

| EUVDEUVD-2026-20205 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20205
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.

AnalysisAI

BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.

Technical ContextAI

This is a missing authorization vulnerability (CWE-862) in a WordPress plugin, which typically means the application performs actions or returns data without verifying whether the user has permission to perform those actions. The vulnerability operates at the access control layer rather than through cryptographic or encoding failures. The Sprout Invoices plugin provides invoicing functionality within WordPress; the broken access control suggests that certain API endpoints or functions that modify invoice data or client information do not properly validate user roles or capabilities before executing sensitive operations. WordPress plugins typically define capabilities and roles through the wp_user_can() function or role-based checks; this plugin appears to be missing such validation on one or more endpoints, potentially allowing any network user to invoke privileged actions.

RemediationAI

Update Client Invoicing by Sprout Invoices to a patched version released after 20.8.10. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-10-broken-access-control-vulnerability for the specific fix version and release date. As a temporary workaround, restrict access to the WordPress admin panel and limit user roles to prevent unauthorized users from invoking plugin functions; however, this does not eliminate the vulnerability if the affected endpoints are publicly accessible. Review WordPress user capabilities and role assignments to ensure only trusted administrators and invoice managers have access to client invoicing features. Test the patched version in a staging environment before deploying to production to confirm no functionality regressions.

Share

CVE-2026-39562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy