WordPress Plugin Vulnerabilities

Client Invoicing by Sprout Invoices < 20.8.1 - Insecure Direct Object Reference

Description

The Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 20.8.0 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to act on objects they shouldn't be able to manipulate.

Affects Plugins

Plugin icon
sprout-invoices
Fixed in 20.8.1

References

CVE
CVE-2024-53819
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/326e168d-c2ae-485f-93ff-ed59d5b6061e

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Manab Jyoti Dowarah
Verified
No
WPVDB ID
d5d382be-ce62-4bb3-88fe-3e29d163411a

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-12 (about 1 year ago)
Last Updated
2024-12-12 (about 1 year ago)

Other

Published
Title
Published
2026-01-01
Title
Branda – White Label & Branding, Free Login Page Customizer < 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover
Published
2024-06-20
Title
User Profile Picture < 2.6.2 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update
Published
2025-03-31
Title
Radius Blocks <= 2.2.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-03-28
Title
Molongui < 4.7.8 - Authenticated (Author+) Insecure Direct Object Reference
Published
2025-02-23
Title
Recipe Card Blocks for Gutenberg & Elementor < 3.4.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Disclosure