CVE-2025-64229 in Client Invoicing by Sprout Invoices Plugin
Summary
by MITRE • 10/29/2025
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability identified as CVE-2025-64229 represents a critical missing authorization flaw within the BoldGrid Client Invoicing plugin for WordPress, specifically affecting versions up to and including 20.8.7. This issue stems from incorrectly configured access control security levels that permit unauthorized users to bypass intended authorization mechanisms. The vulnerability manifests as an insufficient access control check that fails to properly validate user permissions before granting access to sensitive invoicing functionalities. Such a misconfiguration creates a pathway for attackers to exploit the system's security model and gain access to data or functionality that should be restricted to authorized personnel only.
The technical implementation of this vulnerability resides in the plugin's access control validation logic where proper user authentication and authorization checks are either missing or improperly enforced. Attackers can leverage this weakness to perform actions such as viewing, creating, modifying, or deleting client invoices without possessing the necessary administrative privileges or user permissions. This misconfiguration directly violates the principle of least privilege and demonstrates poor access control implementation that aligns with CWE-285, which addresses improper authorization within software systems. The vulnerability exists across the entire affected version range, indicating that the flawed access control mechanism has been present since the initial implementation and was not properly addressed in subsequent patches.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially exposing sensitive financial data and client information to malicious actors. An attacker who successfully exploits this vulnerability could gain access to complete invoicing records, client contact details, billing information, and potentially manipulate financial data within the system. This creates significant risk for businesses relying on the plugin for client management and financial tracking, as the exposure could lead to data breaches, financial fraud, and compliance violations. The vulnerability also enables potential privilege escalation attacks where unauthenticated or low-privilege users could gain administrative capabilities within the invoicing system.
Security professionals should immediately implement mitigations including updating to the latest available version of the BoldGrid Client Invoicing plugin where the authorization flaw has been addressed. Organizations should also conduct thorough access control reviews and implement additional monitoring for unauthorized access attempts to invoicing systems. Network segmentation and principle of least privilege enforcement should be reinforced to minimize the potential impact should the vulnerability be exploited. The ATT&CK framework categorizes this vulnerability under privilege escalation and credential access tactics, where attackers can move laterally within systems to gain elevated access. Regular security audits and penetration testing should be conducted to identify similar access control misconfigurations in other plugins and system components. System administrators should also implement proper logging and alerting mechanisms to detect unauthorized access attempts to sensitive financial data within the invoicing platform.