VYPR

Sp Project \& Document Manager

by WordPress

CVEs (16)

  • CVE-2021-24347HigJun 14, 2021
    risk 0.64cvss 8.8epss 0.52

    The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php…

  • CVE-2023-3063HigJun 30, 2023
    risk 0.57cvss 8.8epss 0.01

    The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system…

  • CVE-2021-4225HigApr 25, 2022
    risk 0.57cvss 8.8epss 0.02

    The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file…

  • CVE-2024-24868HigFeb 28, 2024
    risk 0.55cvss 8.5epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.

  • CVE-2023-36677HigNov 3, 2023
    risk 0.54cvss 8.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from n/a through 4.67.

  • CVE-2026-10737HigJun 4, 2026
    risk 0.49cvss 7.5epss 0.00

    The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and…

  • CVE-2024-37224HigJul 9, 2024
    risk 0.49cvss 7.5epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.71.

  • CVE-2024-32551HigApr 18, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71.

  • CVE-2024-3749MedMay 15, 2024
    risk 0.42cvss 6.5epss 0.01

    The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user

  • CVE-2024-3748MedMay 15, 2024
    risk 0.42cvss 6.5epss 0.00

    The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user

  • CVE-2022-1551MedJul 25, 2022
    risk 0.42cvss 6.5epss 0.01

    The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.

  • CVE-2024-33923MedMay 3, 2024
    risk 0.41cvss 6.3epss 0.00

    Missing Authorization vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.69.

  • CVE-2022-34857MedAug 22, 2022
    risk 0.40cvss 6.1epss 0.00

    Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress

  • CVE-2021-38315MedAug 16, 2021
    risk 0.40cvss 6.1epss 0.01

    The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.

  • CVE-2024-1693MedMay 14, 2024
    risk 0.28cvss 4.3epss 0.00

    The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with…

  • CVE-2014-9178Dec 2, 2014
    risk 0.03cvss epss 0.05

    Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter…