– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25364:
The vulnerability is a missing authorization flaw in the Client Invoicing by Sprout Invoices WordPress plugin affecting versions up to 20.8.8. The vulnerability allows unauthenticated attackers to perform unauthorized actions on invoice and estimate documents via AJAX endpoints. The CVSS score of 5.3 reflects a medium severity issue with potential for data manipulation.

The root cause is the absence of capability checks in two AJAX handler functions within the _Controller.php file. The `maybe_create_private_note()` function (lines 959-1008) and `maybe_change_status()` function (lines 1026-1114) lacked proper authorization validation. Both functions accepted requests via the WordPress admin-ajax.php endpoint and performed document operations without verifying if the requester had appropriate permissions. The functions only checked for nonce validation via `wp_verify_nonce()`, which provides CSRF protection but not authorization.

Exploitation requires sending POST requests to /wp-admin/admin-ajax.php with specific action parameters. For private note creation, attackers use action=si_maybe_create_private_note with parameters including private_note_nonce, associated_id, and notes. For status changes, attackers use action=si_maybe_change_status with parameters change_status_nonce, id, and status. The nonce values can be obtained from publicly accessible invoice or estimate pages, as these pages include the nonce in JavaScript variables. Attackers can then manipulate any document by providing the document ID and desired payload.

The patch implements a dual authentication model in version 20.8.9. For authenticated users, the patch adds capability checks: `current_user_can(‘edit_sprout_invoices’)` for note creation and `current_user_can(‘edit_post’, $doc_id)` for status changes. For unauthenticated users, the patch introduces document-specific access hashes. The system now requires a doc_hash parameter that must match a cryptographically secure hash stored with each document. The SI_Upgrades class generates these hashes for existing documents during migration. The patch also adds the ensure_doc_hash() function to generate missing hashes on-the-fly, preventing race conditions.

The impact of successful exploitation includes unauthorized modification of invoice and estimate statuses, potentially marking invoices as paid without actual payment or changing estimate statuses to accepted. Attackers can also create private notes on documents, which could be used for defacement, social engineering, or false communication. While the vulnerability doesn’t directly enable privilege escalation or remote code execution, it allows manipulation of financial documents and business records, potentially leading to financial loss or business disruption.