WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload

WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still...

CVE-2024-31118 WordPress SP Project & Document Manager plugin <= 4.70 - Broken Access Control to XSS vulnerability

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70...

EUVD-2024-36512

Malicious code in bioql PyPI...

CVE-2024-37224

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.71...

PT-2024-27393 · Unknown · Sp Project & Document Manager

Name of the Vulnerable Software and Affected Versions: SP Project & Document Manager versions n/a through 4.71 Description: The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows for Path Traversal attacks...

WordPress SP Project & Document Manager Plugin <= 4.71 is vulnerable to Directory Traversal

Software SP Project & Document Manager Type Plugin Vulnerable versions = 4.71 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Directory Traversal CVE CVE-2024-37224 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 45309fbf1e76 Credits CatFather Required...

CVE-2024-3748 SP Project & Document Manager <= 4.71 - Data Update via IDOR

The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the userid to make it appear that a file was uploaded by another user...

CVE-2024-3748 SP Project & Document Manager <= 4.71 - Data Update via IDOR

The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the userid to make it appear that a file was uploaded by another user...

WordPress SP Project & Document Manager Plugin <= 4.71 is vulnerable to Insecure Direct Object References (IDOR)

Software SP Project & Document Manager Type Plugin Vulnerable versions = 4.71 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2024-3748 Patch priority Low CVSS severity Low 6.3 Developer Claim ownership PSID 1c7d92437a35 Credits...

CVE-2024-1693

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdmsavecategory AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level acce...

CVE-2024-33923 WordPress SP Project & Document Manager plugin <= 4.69 - Broken Access Control vulnerability

Missing Authorization vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.69...

WordPress SP Project & Document Manager Plugin <= 4.69 is vulnerable to Broken Access Control

Software SP Project & Document Manager Type Plugin Vulnerable versions = 4.69 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-33923 Patch priority Medium CVSS severity Medium 6.3 Developer Claim ownership PSID 4ab90a9cecb9 Credits Abdi Pranata...

SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR

Description The plugin lacks proper access controllers and allows a logged in user to view and download files belonging to another user As a logged in user, send a GET request: GET /wp-admin/admin-ajax.php?action=cdmfilelist&uid=3CHANGE HERE&pid=0CHANGE HERE&search=&=1708406394720 You can view...

SP Project & Document Manager <= 4.71 - Data Update via IDOR

Description The plugin is missing validation in its upload function, allowing a user to manipulate the userid to make it appear that a file was uploaded by another user PoC 1. Select to upload a file through the plugin 2. Intercept the request: Example: ------WebKitFormBoundaryX4YnPgSA4oPHlNjv...

CVE-2024-32551

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71...

CVE-2024-32551 WordPress SP Project & Document Manage plugin <= 4.71 - Auth. SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71...

CVE-2024-32551

CVE-2024-32551 is a SQL Injection vulnerability in SP Project & Document Manager for WordPress (affecting versions from n/a through 4.71). The issue stems from improper neutralization of SQL elements in the plugin’s SP Project & Document Manager component, enabling an attacker with HIGH privilege...

CVE-2024-32551 WordPress SP Project & Document Manage plugin <= 4.71 - Auth. SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71...

WordPress Plugin SP Project & Document Manager SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL. WordPress plugin is an application plugin. WordPress Plugin SP Project &...

WordPress SP Project & Document Manager Plugin <= 4.71 is vulnerable to SQL Injection

Software SP Project & Document Manager Type Plugin Vulnerable versions = 4.71 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-32551 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 4e8128ffc035 Credits CatFather Required privilege Author...