Description
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to invoice data leading to potential confidentiality and integrity compromise
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows incorrectly configured access control security levels to be bypassed. An attacker exploiting this flaw can read or edit invoices belonging to other clients, thereby affecting confidentiality and integrity of financial information.

Affected Systems

The affected product is BoldGrid Client Invoicing by Sprout Invoices. All versions n/a through 20.8.10 are impacted. The issue is present in every release up to and including 20.8.10.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is likely through authenticated access where an attacker with a lower privilege level can exploit the broken access control. No additional exploit conditions or prerequisites are provided in the available data.

Generated by OpenCVE AI on April 13, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Client Invoicing by Sprout Invoices plugin to version 20.8.11 or newer.

Generated by OpenCVE AI on April 13, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid client Invoicing By Sprout Invoices
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
Title WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Boldgrid Client Invoicing By Sprout Invoices
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.114Z

Reserved: 2026-04-07T10:48:26.893Z

Link: CVE-2026-39562

cve-icon Vulnrichment

Updated: 2026-04-13T18:20:14.419Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:27.343

Modified: 2026-04-24T18:07:25.343

Link: CVE-2026-39562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:50Z

Weaknesses