13 matches found
CVE-2021-24347
The CVE-2021-24347 entry concerns the WordPress SP Project & Document Manager plugin prior to version 4.22. The vulnerability arises because the plugin attempts to block executable uploads by checking file extensions, but PHP files can still be uploaded by altering the extension case (e.g., php t...
CVE-2024-24868
CVE-2024-24868 affects the WordPress plugin SP Project & Document Manager (versions up to 4.69). It is a SQL Injection due to improper neutralization of input in the plugin, enabling unauthorized data access/injection via authenticated conduit. The issue is mitigated by upgrading to version 4.70,...
CVE-2022-1551
CVE-2022-1551 affects the SP Project & Document Manager WordPress plugin prior to version 4.58. The issue stems from an easily guessable path used to store user files, enabling a user to access other users’ sensitive files. Exploitation details in connected documents include a PoC demonstrating a...
CVE-2024-3748
CVE-2024-3748 affects the SP Project & Document Manager WordPress plugin (versions ≤ 4.71). The issue is an IDOR in the upload function where an attacker can manipulate the user_id to make a file appear uploaded by another user, enabling potential unauthorized access or attribution. Connected sou...
CVE-2021-4225
The CVE concerns the SP Project & Document Manager WordPress plugin (pre-4.24). The issue arises in the file-upload feature, where authentication is not restricted and users such as subscribers can upload files. The vendor’s extension-based checks are intended to block executable PHP or similar f...
CVE-2023-36677
CVE-2023-36677 concerns the WordPress SP Project & Document Manager plugin. The vulnerability is an SQL Injection caused by improper neutralization of special elements in an SQL command, affecting versions n/a through 4.67. The issue is categorized as high severity with potential impact to confid...
CVE-2021-38315
The CVE-2021-38315 entry concerns the SP Project & Document Manager WordPress plugin (versions
CVE-2022-34857
CVE-2022-34857 is a reflected Cross-Site Scripting vulnerability in the WordPress plugin SP Project & Document Manager (smartypants) version
CVE-2024-3749
The CVE-2024-3749 entry concerns the SP Project & Document Manager WordPress plugin (versions up to 4.71). Multiple sources describe an IDOR/undue access flaw: a logged-in subscriber can view or download files belonging to other users due to insufficient access controls. The vulnerability is char...
CVE-2023-3063
CVE-2023-3063 affects SP Project & Document Manager (WordPress) up to version 4.67. Root cause: Insecure Direct Object References (IDOR) allowing authenticated users with subscriber privileges (or higher) to access objects and bypass authorization, enabling password changes and potential administ...
CVE-2024-37224
CVE-2024-37224 is a path traversal vulnerability in WordPress plugin SP Project & Document Manager (SP Client Document Manager) affecting versions up to 4.71. The issue arises from an improper limitation of a pathname to a restricted directory , enabling access to files outside allowed directorie...
CVE-2023-36530
CVE-2023-36530 is a Stored XSS affecting the WordPress plugin SP Project & Document Manager (versions
CVE-2014-9178
CVE-2014-9178 affects the WordPress plugin “SP Client Document Manager” (sp-client-document-manager) up to version 2.4.1. The vulnerability is a Multiple SQL Injection in classes/ajax.php, exploitable via (1) vendor_email[] in the email_vendor function or (2) id in the download_project, (3) downl...