WordPress SP Project & Document Manager plugin <= 4.59 - Reflected Cross-Site Scripting (XSS) vulnerability

Vulnerability

The SP Project & Document Manager plugin (slug: sp-client-document-manager) for WordPress versions up to and including 4.59 contains a reflected Cross-Site Scripting (XSS) vulnerability. An attacker can inject arbitrary JavaScript via a crafted URL parameter that is not properly sanitized before being reflected in the response. No authentication or special configuration is required to trigger the vulnerability; the user only needs to visit a maliciously crafted link.

Exploitation

An attacker sends a crafted link to a logged-in WordPress user. When the user clicks the link, the injected JavaScript executes in the context of the victim's browser session with the WordPress site. The attack requires no special privileges or network position; the attacker must simply trick the user into clicking the link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session cookies, redirection to malicious sites, defacement of the page, or other actions within the context of the affected WordPress site and user's session.

Mitigation

The plugin has been closed and removed from the WordPress.org plugin directory as of March 7, 2024, due to a security issue [1]. No patched version is available through the official directory. Users who have this plugin installed should uninstall it immediately and consider alternative solutions. There is no known workaround.