Client Invoicing By Sprout Invoices
Monthly
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.