{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39562", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:26.893Z", "datePublished": "2026-04-08T08:30:18.463Z", "dateUpdated": "2026-04-08T08:30:18.463Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sprout-invoices", "product": "Client Invoicing by Sprout Invoices", "vendor": "BoldGrid", "versions": [{"changes": [{"at": "20.8.11", "status": "unaffected"}], "lessThanOrEqual": "20.8.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.876Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.</p>"}], "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.463Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-10-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.10 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10."}], "id": "CVE-2026-39562", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:27.343", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-10-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20.8.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Client Invoicing by Sprout Invoices", "source": "cna", "vendor": "BoldGrid"}, "product": "client_invoicing_by_sprout_invoices", "vendor": "boldgrid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:51:01.376615+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 20.8.10", "Verify the new version is installed correctly and sensitive endpoints are no longer exposed", "If an update is not possible, restrict plugin permissions so that only trusted administrators can access invoicing functions", "Monitor site logs for unusual access attempts to invoicing URLs and block offending IPs", "Keep core WordPress and all other plugins up to date to limit overall attack surface"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access / Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Client Invoicing by Sprout Invoices plugin with versions up to and including 20.8.10 are affected. Users running any older or legacy releases of the bundled plugin are vulnerable until they update to a newer, patched version. The affected vendor is BoldGrid, which offers the plugin under the Client Invoicing by Sprout Invoices umbrella.", "description_and_impact": "A Missing Authorization vulnerability in the BoldGrid Client Invoicing by Sprout Invoices plugin allows an attacker to bypass restricted access controls and access endpoints intended only for privileged administrators. This flaw can enable reading, creating, modifying, or deleting invoicing data, potentially exposing confidential financial information or disrupting business operations. The weakness is classified as CWE\u2011862, indicating improper authorization checks.", "risk_and_exploitability": "The CVSS score is not provided, but the nature of the access-control bypass implies a high potential impact. EPSS is unavailable, and the vulnerability is not marked in the CISA KEV catalog. The likely attack vector involves web requests to the plugin\u2019s internal API or administrative interfaces that lack proper authentication checks, meaning an attacker with any user-level access or even no account could potentially exploit the flaw if endpoints are publicly reachable. Immediate remediation is strongly advised because of the broad potential for data compromise."}}}}, "created": "2026-04-08T19:30:14.673699+00:00", "updated": "2026-04-08T19:42:33.267933+00:00", "vendors": ["boldgrid", "boldgrid$PRODUCT$client_invoicing_by_sprout_invoices", "wordpress", "wordpress$PRODUCT$wordpress"]}