CVE-2024-31118

Vulnerability

Overview

CVE-2024-31118 is a missing authorization vulnerability in the WordPress plugin SP Project & Document Manager (versions n/a through 4.70). The plugin fails to properly enforce access control checks, allowing users with lower privileges to execute functions that should require higher-level permissions. This broken access control issue stems from missing authorization, authentication, or nonce token checks in certain plugin functions [1].

Exploitation

Exploitation requires a privileged user to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a form. The vulnerability can be initiated by a user with the role specified in the required privilege level, but successful exploitation depends on that user taking an additional action. This makes it a moderate-severity issue (CVSS 6.5) that is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

An attacker who successfully exploits this vulnerability can trigger higher-privileged actions, potentially leading to cross-site scripting (XSS) or other unauthorized operations. The impact is amplified by the likelihood of automated exploitation in widespread campaigns [1].

Mitigation

As of the publication date, the vendor has not released an official patch. Users are advised to update the plugin immediately when a fix becomes available. If updating is not possible, users should contact their hosting provider or web developer for assistance. Patchstack has issued a mitigation rule to block attacks until an official patch can be tested and safely applied [1].