Lucene search

K
SmartypantspluginsSp Project & Document Manager

13 matches found

CVE
CVE
added 2021/06/14 2:15 p.m.156 views

CVE-2021-24347

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be u...

8.8CVSS8.6AI score0.81417EPSS
CVE
CVE
added 2024/02/28 1:15 p.m.104 views

CVE-2024-24868

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.

8.8CVSS8.8AI score0.00284EPSS
CVE
CVE
added 2022/07/25 1:15 p.m.65 views

CVE-2022-1551

The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.

6.5CVSS6.4AI score0.00213EPSS
CVE
CVE
added 2024/05/15 6:15 a.m.57 views

CVE-2024-3748

The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the user_id to make it appear that a file was uploaded by another user

6.5CVSS6.6AI score0.00233EPSS
CVE
CVE
added 2022/04/25 4:16 p.m.54 views

CVE-2021-4225

The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered ...

8.8CVSS8.8AI score0.01202EPSS
CVE
CVE
added 2024/05/15 6:15 a.m.53 views

CVE-2024-3749

The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user

6.5CVSS6.5AI score0.00616EPSS
CVE
CVE
added 2022/08/22 3:15 p.m.52 views

CVE-2022-34857

Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress

6.1CVSS6AI score0.00148EPSS
CVE
CVE
added 2021/08/16 7:15 p.m.46 views

CVE-2021-38315

The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.

6.1CVSS6AI score0.0021EPSS
CVE
CVE
added 2023/11/03 11:15 p.m.45 views

CVE-2023-36677

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from n/a through 4.67.

8.8CVSS9.1AI score0.00211EPSS
CVE
CVE
added 2023/08/10 12:15 p.m.40 views

CVE-2023-36530

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smartypants SP Project & Document Manager plugin <= 4.67 versions.

5.9CVSS5AI score0.00058EPSS
CVE
CVE
added 2024/07/09 10:15 a.m.40 views

CVE-2024-37224

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.71.

7.5CVSS7AI score0.00553EPSS
CVE
CVE
added 2023/06/30 2:15 a.m.37 views

CVE-2023-3063

The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it pos...

8.8CVSS8.7AI score0.00075EPSS
CVE
CVE
added 2014/12/02 4:59 p.m.34 views

CVE-2014-9178

Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor ...

7.5CVSS8.9AI score0.0207EPSS