CVE-2025-64227
BoldGrid · Client Invoicing by Sprout Invoices
A Deserialization of Untrusted Data vulnerability in the BoldGrid Client Invoicing by Sprout Invoices plugin allows for Object Injection.
Executive summary
A critical deserialization vulnerability in the BoldGrid Client Invoicing plugin enables unauthenticated attackers to perform object injection, risking full system compromise.
Vulnerability
The plugin is susceptible to an Object Injection attack via the deserialization of untrusted data. An unauthenticated attacker can exploit this to inject malicious objects, which may lead to remote code execution.
Business impact
With a CVSS score of 9.8, this vulnerability poses an extreme threat to business operations. Exploitation could allow attackers to bypass security controls, steal financial or customer data, and gain persistent access to the server infrastructure.
Remediation
Immediate Action: Update the Client Invoicing by Sprout Invoices plugin to a version beyond 20.8.7 as soon as a patch is available.
Proactive Monitoring: Monitor server-side logs for signs of unusual application behavior or unexpected function calls that typically follow an object injection attempt.
Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect incoming traffic for malicious serialized objects that target this specific plugin functionality.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the severity of this deserialization vulnerability, immediate remediation is required. Organizations should treat this as a high-priority update to prevent potential remote command execution and maintain the security posture of their web environment.