Sp Project & Document Manager

sp_project_&_document_manager

CVEs (13)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-37224 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Jul 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.71.
CVE-2024-3749 1Smartypantsplugins 1Sp Project & Document Manager May 15, 2025 May 15, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user
CVE-2024-3748 1Smartypantsplugins 1Sp Project & Document Manager May 15, 2025 May 15, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user
CVE-2024-24868 1Smartypantsplugins 1Sp Project & Document Manager Apr 28, 2026 Feb 28, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.
CVE-2023-36677 1Smartypantsplugins 1Sp Project & Document Manager Apr 28, 2026 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from n/a through 4.67.Show less
CVE-2023-36530 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Aug 10, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smartypants SP Project & Document Manager plugin <= 4.67 versions.
CVE-2023-3063 1Smartypantsplugins 1Sp Project & Document Manager Apr 8, 2026 Jun 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, let...Show more The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.Show less
CVE-2022-34857 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Aug 22, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress
CVE-2022-1551 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Jul 25, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.
CVE-2021-4225 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Apr 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on th...Show more The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.Show less
CVE-2021-38315 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web...Show more The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.Show less
CVE-2021-24347 1Smartypantsplugins 1Sp Project & Document Manager Nov 21, 2024 Jun 14, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by...Show more The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".Show less
CVE-2014-9178 1Smartypantsplugins 1Sp Project & Document Manager May 6, 2026 Dec 2, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute a...Show more Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.Show less