Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible WordPress plugin requiring a low-privileged account; confidentiality-only impact with no write or availability consequence confirmed by description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.13.
AnalysisAI
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum subscriber-level privileges on a site running Client Invoicing by Sprout Invoices version 20.8.13 or earlier - confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 6.5 (Medium) reflects meaningful real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or creates a low-privileged WordPress account (e.g., a Subscriber role on a site with open registration) sends a crafted request to a plugin endpoint that lacks proper capability checks. Because the missing authorization control is not enforced server-side, the request succeeds and returns confidential invoice records - client names, billing details, or financial figures - that the low-privileged user should not be permitted to view. … |
| Remediation | The primary remediation is to update the Client Invoicing by Sprout Invoices plugin to a version beyond 20.8.13 via the WordPress admin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allow
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43346