The vulnerability is a missing authorization flaw in the BoldGrid Client Invoicing by Sprout Invoices plugin that allows attackers to bypass the plugin’s access control checks. This flaw arises from incorrectly configured security levels, enabling an attacker to perform actions that should be restricted to authorized users. The potential impact is unauthorized access to sensitive invoicing information and the ability to manipulate invoices. It is identified as weakness CWE-862.

BoldGrid’s Client Invoicing by Sprout Invoices plugin for WordPress, affecting all versions from the earliest release up to and including 20.8.7. Any site that has the plugin installed and has not applied a later version is susceptible.

The CVSS base score of 4.3 indicates moderate severity. The EPSS score is below 1%, showing a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Likely, an attacker would need to leverage a user account that should be confined to privileged roles; once such an account is in hand, the missing check can be exploited to read or modify invoices. While the flaw is a broken access control and can be exploited without complex prerequisites, the low EPSS suggests limited active exploitation reports.