CVE-2025-24606: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-24606) was discovered in Client Invoicing by Sprout Invoices WordPress plugin, affecting versions through 20.8.1. The vulnerability was initially reported by Trương Hữu Phúc on November 27, 2024, and was publicly disclosed on December 27, 2024 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 6.4 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability allows exploiting incorrectly configured access control security levels (NVD, Patchstack).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The CVSS scoring indicates potential impacts on integrity and availability, though confidentiality is not affected (Patchstack).

The vulnerability has been fixed in version 20.8.2. Users are advised to update to version 20.8.2 or later immediately. For Patchstack users, virtual patching is available to mitigate the issue by blocking potential attacks until the update can be applied (Patchstack).