Description
Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
Published: 2025-12-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserializing untrusted data in the BoldGrid Client Invoicing by Sprout Invoices plugin. An attacker may supply crafted serialized payloads that result in arbitrary PHP object instantiation, potentially allowing arbitrary PHP code execution. Such control over code execution undermines confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The affected product is the BoldGrid Client Invoicing by Sprout Invoices plugin, version 20.8.7 and earlier. Any WordPress installation using this plugin within that version range is vulnerable.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is classified as Critical. The EPSS score of less than 1% indicates a low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a remote HTTP request that delivers a crafted serialized string; based on the description, it is inferred that authentication is not strictly required, making the vulnerability potentially exploitable by unauthenticated users.

Generated by OpenCVE AI on April 29, 2026 at 12:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (v20.8.8 or newer) from the vendor
  • If upgrading immediately is not possible, disable or remove the Sprout Invoices plugin until a patch is available
  • Use application level input validation or a safe unserialize routine to reject untrusted data before deserialization

Generated by OpenCVE AI on April 29, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
Title WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Boldgrid Client Invoicing By Sprout Invoices
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:26:32.070Z

Reserved: 2025-10-29T03:08:02.190Z

Link: CVE-2025-64227

cve-icon Vulnrichment

Updated: 2025-12-18T14:36:27.730Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:12.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses