What the vulnerability does
01Description
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.13.
Explanation of Vulnerability in Simple Terms
02Summary
Client Invoicing by Sprout Invoices versions 20.8.13 and earlier lack proper authorization checks, allowing authenticated users to read sensitive invoice data they should not access. An attacker with a low-privilege account can view confidential invoicing information belonging to other users or clients. This affects the confidentiality of financial records stored in the plugin.
What an attacker can do
03Attacker Capabilities
Read other users' or clients' invoice data and financial information.
Potential impact on your site
04Site Impact
Customer and financial data in invoices may be exposed to unauthorized users with site access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site (e.g., subscriber or customer role).
Key dates
06Disclosure timeline
July 13, 2026
CVE published
July 13, 2026
Record updated