CVE-2024-53819: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2024-53819) was discovered in the Client Invoicing by Sprout Invoices WordPress plugin, affecting versions up to and including 20.8.0. The vulnerability was publicly disclosed on December 2, 2024, and was identified by security researcher Manab Jyoti Dowarah (WPScan, Patchstack).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue due to missing validation on a user-controlled key. It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is categorized under CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (Patchstack).

The vulnerability allows unauthenticated attackers to act on objects they shouldn't be able to manipulate, potentially leading to unauthorized access to sensitive information. The security issue has been assessed as having a low severity impact (WPScan).

The vulnerability has been fixed in version 20.8.1 of the Client Invoicing by Sprout Invoices plugin. Users are advised to update to version 20.8.1 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).