SP Project & Document Manager < 4.24 - Subscriber+ Shell Upload
Description
SP Project & Document Manager plugin before 4.24 on Windows allows authenticated users to upload executable files by bypassing extension checks with a trailing dot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SP Project & Document Manager plugin before 4.24 on Windows allows authenticated users to upload executable files by bypassing extension checks with a trailing dot.
Vulnerability
The SP Project & Document Manager WordPress plugin versions before 4.24 allow any authenticated user (e.g., subscribers) to upload files. The plugin attempts to block PHP and other executable files by checking the file extension, but on Windows servers the check is insufficient. An attacker can upload a file named 1.php. (with a trailing period) which Windows treats as a valid PHP file, bypassing the extension filter. Affected versions: all versions prior to 4.24 [1][2].
Exploitation
The attacker must be an authenticated user on a WordPress site running the plugin on a Windows server. The attacker uploads a file via the plugin's document manager page (e.g., sp-document), intercepts the upload request, and renames the dlg-upload-file[] parameter value from 1.txt to 1.php. (ending in a dot). The server saves the file without the trailing dot, resulting in a working .php webshell [2].
Impact
Successful exploitation allows the attacker to upload arbitrary PHP files (webshells) to the server. This can lead to remote code execution, complete compromise of the WordPress site, and potential lateral movement on the server. The attacker gains the ability to execute commands, view or modify files, and access sensitive data [1][2].
Mitigation
Fixed in version 4.24 released on 2022-04-25. Users should update to version 4.24 or later. For servers that cannot be updated, consider hardening Windows file handling or removing the plugin. The vulnerability is not listed in CISA KEV as of this writing [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <4.24
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient filename sanitization on Windows servers allows a trailing dot to bypass the extension blacklist, causing the OS to save the file with a .php extension."
Attack vector
An authenticated user (e.g., a subscriber) accesses the SP Project & Document Manager upload page and intercepts the upload request. The attacker renames the `dlg-upload-file[]` parameter from a benign filename like `1.txt` to `1.php.` — the trailing dot is critical [ref_id=2]. On a Windows server, the operating system strips the trailing dot during file save, resulting in a `1.php` file in the uploads directory. The attacker then visits the uploaded webshell at `http://xxx.com/wp-content/uploads/sp-client-document-manager/[user's uid]/1.php` to execute arbitrary code [ref_id=2].
Affected code
The plugin's file upload handler in versions before 4.24 checks file extensions to block executable files like PHP. On Windows servers, the extension check is insufficient because a filename ending with a trailing dot (e.g., `1.php.`) passes the validation but Windows saves it as `1.php` [ref_id=2]. The upload endpoint is exposed to any authenticated user, including subscribers [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 4.24 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper filename sanitization that strips trailing dots and/or validates the final extension after Windows filesystem normalization. The researcher notes that the previous fix (for a related issue) only blocked mixed-case extensions like `.pHp`, but did not handle the trailing-dot bypass on Windows [ref_id=2].
Preconditions
- authAttacker must have a valid WordPress account (any role, including subscriber)
- configTarget web server must be running Microsoft Windows
- configThe SP Project & Document Manager plugin must be installed and active with a version before 4.24
- networkAttacker must be able to reach the plugin's file upload endpoint
Reproduction
1. Log in to WordPress as any authenticated user (e.g., a subscriber). 2. Navigate to the SP Project & Document Manager page (e.g., `sp-document`). 3. Upload a file and intercept the request with a proxy. 4. Change the `dlg-upload-file[]` parameter value from `1.txt` to `1.php.` — ensure the filename ends with a dot after the extension. 5. Forward the request. 6. Access the uploaded shell at `http://xxx.com/wp-content/uploads/sp-client-document-manager/[user's uid]/1.php` [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/pang0lin/CVEproject/blob/main/wordpress_SP-Project_fileupload.mdmitrex_refsource_MISC
- wpscan.com/vulnerability/bd1083d1-edcc-482e-a8a9-c8b6c8d417bdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.