Smartypantsplugins Sp Project Document Manager vulnerabilities
13 known vulnerabilities affecting smartypantsplugins/sp_project_document_manager.
Total CVEs
13
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2021-24347P2HIGHCVSS 8.8PoCfixed in 4.222021-06-14
CVE-2021-24347 [HIGH] CWE-178 CVE-2021-24347: The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for exa
nvd
CVE-2014-9178P3HIGHCVSS 7.5PoC≤ 2.4.12014-12-02
CVE-2014-9178 [HIGH] CWE-89 CVE-2014-9178: Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project &
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3)
nvd
CVE-2023-3063P3HIGHCVSS 8.8≤ 4.672023-06-30
CVE-2023-3063 [HIGH] CWE-639 CVE-2023-3063: The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object Refer
The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privil
nvd
CVE-2023-36677P3HIGHCVSS 8.8≤ 4.672023-11-03
CVE-2023-36677 [HIGH] CWE-89 CVE-2023-36677: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from n/a through 4.67.
nvd
CVE-2024-24868P3HIGHCVSS 8.8fixed in 4.702024-02-28
CVE-2024-24868 [HIGH] CWE-89 CVE-2024-24868: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.
nvd
CVE-2021-4225P3HIGHCVSS 8.8fixed in 4.242022-04-25
CVE-2021-4225 [HIGH] CWE-434 CVE-2021-4225: The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place wer
nvd
CVE-2024-3749P3MEDIUMCVSS 6.5fixed in 4.712024-05-15
CVE-2024-3749 [MEDIUM] CWE-639 CVE-2024-3749: The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and
The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user
nvd
CVE-2024-37224P3MEDIUMCVSS 6.5≤ 4.712024-07-09
CVE-2024-37224 [MEDIUM] CWE-22 CVE-2024-37224: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in smar
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.71.
nvd
CVE-2024-3748P3MEDIUMCVSS 6.5≤ 4.712024-05-15
CVE-2024-3748 [MEDIUM] CWE-639 CVE-2024-3748: The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload
The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user
nvd
CVE-2022-1551P3MEDIUMCVSS 6.5fixed in 4.582022-07-25
CVE-2022-1551 [MEDIUM] CWE-425 CVE-2022-1551: The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to stor
The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.
nvd
CVE-2021-38315P4MEDIUMCVSS 6.1≤ 4.252021-08-16
CVE-2021-38315 [MEDIUM] CWE-79 CVE-2021-38315: The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-
The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.
nvd
CVE-2022-34857P4MEDIUMCVSS 6.1fixed in 4.622022-08-22
CVE-2022-34857 [MEDIUM] CWE-79 CVE-2022-34857: Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plug
Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress
nvd
CVE-2023-36530P4MEDIUMCVSS 4.8≤ 4.672023-08-10
CVE-2023-36530 [MEDIUM] CWE-79 CVE-2023-36530: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smartypants SP Project & Document
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smartypants SP Project & Document Manager plugin <= 4.67 versions.
nvd