Threat Entry Updated 2025-05-15

CVE-2024-3749 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user

PLUGIN Document Manager

CVE-2024-3749

MEDIUM CVSS 6.5 2024-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2024-3748 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user

PLUGIN Document Manager

CVE-2024-3748

MEDIUM CVSS 6.5 2024-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1693 - Document Manager Plugin

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them.

PLUGIN Document Manager

CVE-2024-1693

MEDIUM CVSS 4.3 2024-05-14

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-3063 - Document Manager Plugin

The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.

PLUGIN Document Manager

CVE-2023-3063

HIGH CVSS 8.8 2023-06-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-1551 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.

PLUGIN Document Manager

CVE-2022-1551

MEDIUM CVSS 6.5 2022-07-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-4225 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.

PLUGIN Document Manager

CVE-2021-4225

HIGH CVSS 8.8 2022-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-38315 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.

PLUGIN Document Manager

CVE-2021-38315

MEDIUM CVSS 6.1 2021-08-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24347 - Document Manager Plugin

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

PLUGIN Document Manager

CVE-2021-24347

HIGH CVSS 8.8 2021-06-14

Risk Score

Open Full Technical Breakdown