Skip to main content

Client Invoicing By Sprout Invoices

3 CVEs product

Monthly

CVE-2026-57418 MEDIUM This Month

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39562 MEDIUM This Month

BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-24787 MEDIUM POC This Month

The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Client Invoicing By Sprout Invoices
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Client Invoicing By Sprout Invoices
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy