Filtered by vendor Smartypantsplugins
Subscribe
Filtered by product Sp Project \& Document Manager
Subscribe
Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-24347 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2022-11-08 | 6.5 MEDIUM | 8.8 HIGH |
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP". | |||||
CVE-2022-34857 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2022-08-23 | N/A | 6.1 MEDIUM |
Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress | |||||
CVE-2022-1551 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2022-07-29 | N/A | 6.5 MEDIUM |
The SP Project & Document Manager WordPress plugin through 4.57 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. | |||||
CVE-2021-4225 | 2 Microsoft, Smartypantsplugins | 2 Windows, Sp Project \& Document Manager | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites. | |||||
CVE-2021-38315 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25. | |||||
CVE-2014-9178 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2018-10-09 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function. |