WordPress SP Project & Document Manager Plugin <= 4.67 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
A stored XSS vulnerability in the SP Project & Document Manager plugin <=4.67 allows admin-level attackers to inject malicious scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the SP Project & Document Manager plugin <=4.67 allows admin-level attackers to inject malicious scripts.
Vulnerability
An authenticated stored cross-site scripting (XSS) vulnerability exists in the Smartypants SP Project & Document Manager WordPress plugin (slug: sp-client-document-manager) versions up to and including 4.67. The vulnerability allows users with administrator-level privileges (admin+) to inject arbitrary web scripts via the plugin's file or project management interfaces, which are then stored and executed when other admin users view the affected pages [1].
Exploitation
To exploit this vulnerability, an attacker must have valid WordPress admin credentials for the target site. The attacker crafts a malicious payload (e.g., JavaScript) and injects it through a vulnerable input field (such as a project name, document title, or metadata field) that lacks proper sanitization. Once stored, the payload triggers in the browser of any other admin user who loads the compromised page, executing in the context of the victim's session [1].
Impact
Successful exploitation results in stored cross-site scripting, which can lead to session hijacking, cookie theft, redirection to malicious sites, or the execution of additional administrative actions under the victim's identity. Since the attacker requires admin-level access, the primary impact is privilege escalation within the admin panel and potential compromise of the entire WordPress installation [1].
Mitigation
No official patched version exists; the plugin was closed and removed from the WordPress.org plugin directory on March 7, 2024, explicitly due to a security issue. Users who have the plugin installed should uninstall it immediately and replace it with an alternative. No workaround or fix has been published [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.67
- Smartypants/SP Project & Document Managerv5Range: n/a
Patches
0sp-client-document-managerThis plugin has been removed from the WordPress.org directory on 2024-03-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.