CVE-2026-32401 in Client Invoicing by Sprout Invoices Plugin
Summary
by MITRE • 03/13/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows PHP Local File Inclusion.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.9.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The CVE-2026-32401 vulnerability represents a critical PHP Remote File Inclusion flaw that fundamentally undermines the security posture of the BoldGrid Client Invoicing system. This vulnerability stems from improper control of filename parameters in include/require statements, creating an avenue for attackers to manipulate the application's execution flow through malicious file inclusion techniques. The flaw specifically impacts the Sprout Invoices plugin, with affected versions ranging from the initial release through and including version 20.8.9, making it a widespread concern for users who have not updated their installations.
The technical implementation of this vulnerability occurs when the application accepts user-supplied input directly into include or require statements without proper sanitization or validation. This creates a dangerous condition where an attacker can inject arbitrary file paths or URLs, potentially leading to local file inclusion attacks that allow execution of malicious code on the target server. The vulnerability manifests when the application fails to implement proper input validation, sanitization, or access control mechanisms before processing filename parameters. This weakness aligns with CWE-98, which specifically addresses Improper Control of Filename for Include/Require Statement, and represents a direct violation of secure coding practices that should prevent arbitrary file inclusion attacks.
The operational impact of this vulnerability extends far beyond simple data theft, as it enables attackers to execute arbitrary code on the vulnerable server with the privileges of the web application. An attacker could leverage this flaw to upload malicious files, establish persistent backdoors, or escalate privileges to gain full control over the hosting environment. The implications are particularly severe in shared hosting environments where multiple applications reside on the same server, as successful exploitation could compromise other applications and potentially lead to broader network infiltration. This vulnerability directly maps to ATT&CK technique T1190, which covers Exploit Public-Facing Application, and T1059, which covers Command and Scripting Interpreter, as it allows for remote code execution through manipulated include statements.
Mitigation strategies for this vulnerability require immediate action from system administrators and developers. The most critical remediation involves updating to the latest version of the Sprout Invoices plugin where the vulnerability has been patched, as version 20.8.9 and earlier are affected. Additionally, implementing proper input validation and sanitization measures should be enforced throughout the application codebase, particularly in any areas where dynamic file inclusion occurs. Organizations should also consider implementing web application firewalls with rules specifically designed to detect and block suspicious include/require parameter patterns. The implementation of principle of least privilege access controls and proper file permission settings can further reduce the impact if exploitation does occur. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the application stack, as this type of flaw often indicates broader security weaknesses in the codebase that require comprehensive remediation.