SP Project & Document Manager < 4.58 – Sensitive File Disclosure | CVE 2022-1551

Description

The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.

Proof of Concept

1. Upload a file using the plugin.
2. On another browser, access the newly uploaded file via:

https://vulnerable-site.tld/wp-content/uploads/sp-client-document-manager/[user's uid]/file.format

Affects Plugins

sp-client-document-manager

Fixed in 4.58

References

CVE

CVE-2022-1551

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website

https://www.bitcrack.net/

Submitter twitter

bitcrack_cyber

Verified

Yes

WPVDB ID

51b4752a-7922-444d-a022-f1c7159b5d84

Timeline

Publicly Published

2022-06-28 (about 1 years ago)

Added

2022-06-28 (about 1 years ago)

Last Updated

2023-04-04 (about 1 years ago)

Other

Published

Title

Published

2022-04-18

Title

Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure

Published

2022-06-17

Title

GiveWP < 2.21.0 - Donor Information Disclosure

Published

2024-02-02

Title

Total Upkeep < 1.15.9 - Improper Authorization to Unauthenticated Arbitrary File Download

Published

2023-09-11

Title

WooCommerce < 7.9.0 - Sensitive Information Exposure

Published

2024-01-22

Title

File Manager < 7.2.2 - Sensitive Information Exposure via Backup Filenames