VYPR
← All advisories
Unrated severityNVD Advisory· Published May 15, 2024· Updated Aug 1, 2024

SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR

CVE-2024-3749

Description

The SP Project & Document Manager WordPress plugin through 4.71 has an IDOR vulnerability allowing any authenticated user to view and download files owned by other users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The SP Project & Document Manager WordPress plugin through 4.71 has an IDOR vulnerability allowing any authenticated user to view and download files owned by other users.

Vulnerability

The SP Project & Document Manager WordPress plugin through version 4.71 lacks proper access controls on file download endpoints, leading to an Insecure Direct Object Reference (IDOR) vulnerability. A logged-in user can directly access files belonging to other users without authorization checks [1]. The affected plugin slug is sp-client-document-manager.

Exploitation

An attacker must be authenticated (as a subscriber or higher) to the WordPress instance. No special privileges are required. The exploit involves manipulating the file identifier parameter in download requests to enumerate and access files owned by other users [1]. The WPScan advisory notes the vulnerability type as IDOR, and the CVSS score is 4.3 (medium).

Impact

Successful exploitation allows an authenticated attacker to view and download arbitrary files uploaded by other users through the plugin. This leads to unauthorized disclosure of potentially sensitive or private documents, compromising confidentiality [1]. The attacker does not gain code execution or elevated privileges on the WordPress site.

Mitigation

As of the publication date (2024-05-15), no fix is available—the advisory states "No known fix" [1]. Users should restrict access to the plugin by removing it or applying a Web Application Firewall (WAF) rule to block direct object reference attacks until a patched version is released.

References
  1. SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization checks on file download/view endpoints allow a user-controlled identifier to access another user's files."

Attack vector

An authenticated attacker (Subscriber role or higher) can enumerate or guess file identifiers belonging to other users and directly request those files via the plugin's download/view endpoints. The plugin lacks proper access controls to verify that the requesting user owns or is authorized to access the target file [CWE-639] [ref_id=1]. This allows a logged-in user to view and download files belonging to any other user on the same WordPress site.

Affected code

The advisory does not specify exact function names or file paths. The plugin slug is `sp-client-document-manager` (version through 4.71) and the vulnerability is an Insecure Direct Object Reference (IDOR) in the file download/view functionality [ref_id=1].

What the fix does

No patch or fix has been published by the plugin vendor as of the advisory's last update [ref_id=1]. The remediation guidance is to implement proper authorization checks on file download/view endpoints, ensuring that the current user's identity is validated against the file owner or an explicit access control list before serving any file.

Preconditions

  • authAttacker must have a valid user account on the WordPress site (Subscriber role or higher)
  • configThe SP Project & Document Manager plugin (version <= 4.71) must be installed and active
  • inputThe target user must have uploaded files via the plugin that are stored with predictable identifiers

Reproduction

Log in as a Subscriber-level user. Navigate to the file management area of the SP Project & Document Manager plugin. Intercept the download/view request for a file and modify the file identifier parameter to reference a file belonging to another user. The server will serve the file without verifying ownership, confirming the IDOR vulnerability [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.