Description
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.1.
Published: 2025-01-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows users to reach invoice endpoints without proper permission checks. An attacker with access to the WordPress site can request URLs that expose client invoices, potentially revealing personal, payment, or tax information. The weakness is classified as CWE‑862, indicating that requests bypass the intended access control controls.

Affected Systems

BoldGrid Client Invoicing by Sprout Invoices is affected in version 20.8.1 and earlier. The plugin is used to generate and manage invoices within a WordPress installation, allowing users to create, view and download financial documents.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of < 1 % shows a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers exploit the lack of authorization controls by performing HTTP requests to protected invoice endpoints; no special privileges or additional network exposure are required. If the site is publicly reachable and visitors can access these endpoints, the risk can impact any authenticated or even unauthenticated user.

Generated by OpenCVE AI on May 1, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version (20.8.2 or newer) which includes the missing authorization fix
  • Confirm that the role‑based access controls are enabled and correctly configured so that only users with the proper capabilities can view invoice data
  • Apply server‑level restrictions (e.g., .htaccess or web‑server rules) to block direct access to sensitive endpoint URLs when necessary
  • Review audit logs for unexpected access patterns and remediate any misconfigurations found

Generated by OpenCVE AI on May 1, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3810 Missing Authorization vulnerability in Sprout Invoices Client Invoicing by Sprout Invoices allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Client Invoicing by Sprout Invoices: from n/a through 20.8.1.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sprout Invoices Client Invoicing by Sprout Invoices allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Client Invoicing by Sprout Invoices: from n/a through 20.8.1. Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.1.
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sprout Invoices Client Invoicing by Sprout Invoices allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Client Invoicing by Sprout Invoices: from n/a through 20.8.1.
Title WordPress Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress plugin <=20.8.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.235Z

Reserved: 2025-01-23T14:51:10.027Z

Link: CVE-2025-24606

cve-icon Vulnrichment

Updated: 2025-02-12T20:37:41.704Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:14.587

Modified: 2026-04-29T10:16:41.437

Link: CVE-2025-24606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses