{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25364", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.299Z", "datePublished": "2026-02-19T08:26:59.312Z", "dateUpdated": "2026-04-28T16:14:56.851Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sprout-invoices", "product": "Client Invoicing by Sprout Invoices", "vendor": "BoldGrid", "versions": [{"changes": [{"at": "20.8.9", "status": "unaffected"}], "lessThanOrEqual": "20.8.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:07.897Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.</p>"}], "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.851Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:49:24.058306Z", "id": "CVE-2026-25364", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:06:26.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "BoldGrid", "product": "Client Invoicing by Sprout Invoices", "versions": [{"status": "affected", "changes": [{"at": "20.8.9", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 20.8.8"}], "packageName": "sprout-invoices", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:25:59.663Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:26:59.312Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:49:24.058306Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-20T15:48:31.888Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-25364", "state": "PUBLISHED", "dateUpdated": "2026-02-19T08:26:59.312Z", "dateReserved": "2026-02-02T12:52:55.299Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:59.312Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n faltante en BoldGrid Facturaci\u00f3n de Cliente por Sprout Invoices sprout-invoices permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Facturaci\u00f3n de Cliente por Sprout Invoices: desde n/a hasta &lt;= 20.8.8."}], "id": "CVE-2026-25364", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:19.297", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,20.8.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Client Invoicing by Sprout Invoices", "source": "cna", "vendor": "BoldGrid"}, "product": "client_invoicing_by_sprout_invoices", "vendor": "boldgrid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:25:10.816560+00:00", "value": {"mitigation_remediation": ["Upgrade Sprout Invoices to version 20.8.9 or later, ensuring the access control check is applied. ", "Perform a review of user roles and permissions for the invoicing module to confirm that only authorized users can perform sensitive actions. ", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s administrative pages by configuring .htaccess rules or a firewall to block unauthenticated or low\u2011privilege users."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The Sprout Invoices plugin for WordPress, supplied by BoldGrid under the name Client Invoicing by Sprout Invoices, is affected in all releases from its initial version through and including 20.8.8.", "description_and_impact": "This vulnerability is a missing authorization flaw that allows attackers to bypass incorrectly configured access control rules within the Sprout Invoices plugin. By exploiting this weakness, an attacker could gain unauthorized privileges to view, modify, or delete invoice information, potentially exposing sensitive customer data, undermining data integrity, and enabling further attacks within the WordPress environment. The weakness is identified as CWE-862, reflecting an issue where the system does not properly enforce access controls for authenticated users.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating medium severity, and an EPSS score of less than 1%, suggesting low exploitation probability at present. It is not listed in the CISA KEV catalog. The attack vector is likely via the web interface of the WordPress site; an attacker who can access the plugin\u2019s management pages without proper authentication can exploit the broken access control to obtain elevated rights."}}}}, "created": "2026-02-20T10:08:46.231295+00:00", "updated": "2026-04-16T00:30:18.862341+00:00", "vendors": ["boldgrid", "boldgrid$PRODUCT$client_invoicing_by_sprout_invoices", "wordpress", "wordpress$PRODUCT$wordpress"]}