SP Project & Document Manager <2 4.22 - Authenticated Shell Upload
Description
SP Project & Document Manager plugin before 4.22 allows authenticated users to upload executable PHP files by bypassing extension checks via case manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SP Project & Document Manager plugin before 4.22 allows authenticated users to upload executable PHP files by bypassing extension checks via case manipulation.
Vulnerability
The SP Project & Document Manager WordPress plugin before version 4.22 contains a file upload vulnerability. The plugin attempts to block dangerous file types such as PHP by checking the file extension, but the check is case-sensitive. An attacker can upload a file with a mixed-case extension (e.g., .pHP) that bypasses the filter while the server may still execute it as PHP. This affects all versions prior to 4.22 [1].
Exploitation
An attacker must be an authenticated user with file upload permissions. They can craft a PHP file with a manipulated extension (e.g., shell.pHP) and upload it through the plugin's interface. The server, depending on its configuration, may execute the file as PHP, allowing the attacker to run arbitrary code. The WPScan advisory includes a proof of concept [1].
Impact
Successful exploitation enables arbitrary PHP code execution on the server. This can lead to full compromise of the WordPress site, including data theft, defacement, malware injection, and further attacks on the underlying infrastructure.
Mitigation
The vulnerability is fixed in version 4.22 of the SP Project & Document Manager plugin. Users should update to 4.22 or later immediately. No workaround is documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/SP Project & Document Managerdescription
- Range: <4.22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Case-sensitive extension check allows PHP files with mixed-case extensions (e.g., .pHP) to bypass the blocklist."
Attack vector
An authenticated user with file upload privileges uploads a PHP file but changes the extension's case — for example, from ".php" to ".pHP" — to bypass the plugin's extension blocklist [ref_id=1]. The server's underlying filesystem or web server configuration may still execute the file as PHP because many environments treat extensions case-insensitively. This allows the attacker to achieve arbitrary code execution on the server [ref_id=1].
Affected code
The file upload handler in the SP Project & Document Manager plugin (versions before 4.22) performs extension checking without normalizing case. The advisory does not specify the exact file or function name, but the flaw lies in the extension validation logic that compares user-supplied file extensions against a blocklist without case-insensitive matching [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 4.22 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve normalizing the file extension to lowercase (or using a case-insensitive comparison) before checking it against the blocklist of dangerous extensions. This ensures that variations like ".pHP" are correctly rejected.
Preconditions
- authAttacker must be an authenticated user of the WordPress site with permission to upload files via the plugin
- configThe plugin version must be prior to 4.22
- configThe web server must be configured to execute files with non-standard-case PHP extensions (e.g., .pHP) as PHP scripts
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.htmlmitrex_refsource_MISC
- wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45amitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.