cbcvebase.
CVE-2021-24347
published 2021-06-14

CVE-2021-24347: The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
52.01%
98.8th percentile
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

Affected

1 ranges
VendorProductVersion rangeFixed in
smartypantspluginssp_project_document_manager< 4.224.22

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=
path/wp-content/uploads/sp-client-document-manager/
  • Detect PHP webshell upload bypass via mixed-case file extension (e.g., .pHP, .Php, .PHp) in multipart upload requests to the SP Project & Document Manager plugin endpoint.
  • Monitor POST requests to wp-admin/admin.php?page=sp-client-document-manager-fileview for multipart uploads containing filenames with mixed-case PHP extensions (.pHP, .Php, etc.).
  • Alert on HTTP GET requests to /wp-content/uploads/sp-client-document-manager/ for files with mixed-case .pHP (or similar) extensions returning HTTP 200 with Content-Type text/html, indicating successful webshell execution.
  • The exploit uses the p0wny-shell web shell payload; look for its characteristic HTML title string 'p0wny@shell:~#' in responses from the uploads directory.
  • Detect the multipart form-data boundary '37032792112149247252673711332' in POST request bodies as a static exploit artifact.
  • The Metasploit module targets the same upload endpoint; monitor for authenticated reverse shell activity originating from the wp-content/uploads/sp-client-document-manager/ directory.
  • ·Exploitation requires an authenticated WordPress user account; unauthenticated exploitation is not possible with this vulnerability alone.
  • ·The vulnerability is fixed in version 4.22 and later; only plugin versions before 4.22 are affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.