CVE-2025-64229 MEDIUM

CVE-2025-64229: WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.7 - Broken Access Control vulnerability

Vendor Boldgrid
Product Client Invoicing by Sprout Invoices
Weakness CWE-862 · Missing authorization
Published October 29, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.

Explanation of Vulnerability in Simple Terms

02Summary

Client Invoicing by Sprout Invoices versions 20.8.7 and earlier lack proper authorization checks, allowing authenticated users to modify invoice data they should not have access to. An attacker with a low-privilege account can alter invoices belonging to other users or organizations. The vulnerability requires an existing user account but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Modify invoices belonging to other users or organizations without authorization.

Potential impact on your site

04Site Impact

Invoice data integrity is at risk; users may alter financial records they should not control.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

October 29, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2023-6394 Quarkus: graphql operations over websockets bypass CVE-2024-10824 Authorization Bypass Vulnerability was Identified in GitHub Enterprise Server that Allowed Unauthorized Internal Users to Access Secret Scanning Alert Data CVE-2025-1657 Directory Listings WordPress plugin – uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection CVE-2024-11848 NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update CVE-2025-69353 WordPress Proxy & VPN Blocker plugin <= 3.5.3 - Broken Access Control vulnerability