Skip to main content

Sprout Invoices CVE-2026-57418

| EUVDEUVD-2026-43346 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress plugin requiring a low-privileged account; confidentiality-only impact with no write or availability consequence confirmed by description.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:23 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.13.

AnalysisAI

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain low-privilege WordPress account
Exploit
Send crafted request to unprotected plugin endpoint
Execution
Missing authorization check not enforced
Impact
Receive confidential invoice or client data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum subscriber-level privileges on a site running Client Invoicing by Sprout Invoices version 20.8.13 or earlier - confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 6.5 (Medium) reflects meaningful real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or creates a low-privileged WordPress account (e.g., a Subscriber role on a site with open registration) sends a crafted request to a plugin endpoint that lacks proper capability checks. Because the missing authorization control is not enforced server-side, the request succeeds and returns confidential invoice records - client names, billing details, or financial figures - that the low-privileged user should not be permitted to view. …
Remediation The primary remediation is to update the Client Invoicing by Sprout Invoices plugin to a version beyond 20.8.13 via the WordPress admin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy