CVE-2026-32401
Published: 13 March 2026
Summary
CVE-2026-32401 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32401 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Local File Inclusion (CWE-98), affecting the WordPress plugin Client Invoicing by Sprout Invoices (sprout-invoices). The issue impacts all versions from n/a through 20.8.9 and was published on 2026-03-13.
With a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network with low complexity by authenticated users possessing high privileges. Successful exploitation enables high-impact outcomes on confidentiality, integrity, and availability, allowing attackers to perform local file inclusion.
The Patchstack advisory provides further details on this vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-9-local-file-inclusion-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11918
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows PHP Local File Inclusion.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability (CWE-98) in public-facing WordPress plugin directly enables T1190 exploitation for initial/high-impact access and facilitates T1005 arbitrary local file reads via controlled include/require.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted filename inputs supplied to PHP include/require statements, blocking the LFI vector in sprout-invoices.
Requires timely application of the vendor patch that corrects the filename-handling flaw in versions <= 20.8.9.
Limits the set of high-privilege accounts that can reach the vulnerable include/require code path, reducing exploitability.