Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows PHP Local File Inclusion.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.9.
Published: 2026-03-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a PHP Local File Inclusion flaw in the BoldGrid Client Invoicing by Sprout Invoices plugin (versions through 20.8.9). The plugin improperly controls the filename supplied to include/require statements, allowing an attacker to force the application to include arbitrary local files. If the attacker can cause the script to execute code from a local file they control, it can lead to Remote Code Execution. This weakness is identified as CWE-98.

Affected Systems

Affected systems are sites running the BoldGrid Client Invoicing by Sprout Invoices WordPress plugin from the initial release through version 20.8.9. No specific product subversions are listed, so all installations of those versions are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. EPSS score is below 1%, suggesting a low probability of current widespread exploitation, and it is not listed in CISA’s KEV catalog. The attack vector is likely a crafted HTTP request to a plugin endpoint that uses the unvalidated file parameter. Because it is a local file inclusion, the attacker must have access to the web application’s file system, which can be achieved through the exposed vulnerable feature.

Generated by OpenCVE AI on March 17, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade BoldGrid Client Invoicing by Sprout Invoices to version 20.9.0 or later.
  • If an immediate upgrade is not possible, block external access to the vulnerable include parameter by configuring firewall or application firewall rules.
  • Verify that no 'file' parameter is exposed and disable direct URL access to the plugin’s include functionality if possible.

Generated by OpenCVE AI on March 17, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows PHP Local File Inclusion.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.9.
Title WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Boldgrid Client Invoicing By Sprout Invoices
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:09.653Z

Reserved: 2026-03-12T11:11:14.585Z

Link: CVE-2026-32401

cve-icon Vulnrichment

Updated: 2026-03-17T13:24:34.042Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:56.160

Modified: 2026-03-17T14:16:16.537

Link: CVE-2026-32401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:04:01Z

Weaknesses