WordPress Plugin Vulnerabilities

SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting

Description

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check function in versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject malicious web scripts into pages.

Affects Plugins

Plugin icon
sp-client-document-manager
No known fix

References

CVE
CVE-2024-31118
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/31cb7a9d-8965-49cd-b1fb-0d141038a0e1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
CatFather
Verified
No
WPVDB ID
84212ee6-11c6-493c-8027-12ba8be6fda0

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2025-02-24
Title
WP-Asambleas <= 2.85.0 - Unauthenticated Arbitrary Shortcode Execution
Published
2022-11-28
Title
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
Published
2026-03-17
Title
Post SMTP < 3.9.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite
Published
2023-12-26
Title
Poll Maker < 4.8.1 - Missing Authorization
Published
2023-08-30
Title
Multiple Plugins from ServMask - Unauthenticated Access Token Update