WordPress Plugin Vulnerabilities

SP Project & Document Manager < 4.68 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
sp-client-document-manager
Fixed in 4.68

References

CVE
CVE-2023-36530
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sp-client-document-manager/sp-project-document-manager-467-authenticated-administrator-stored-cross-site-scripting-via-plugin-settings

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
b55ef4c2-a034-487d-96f2-ee452381beb6

Timeline

Publicly Published
2023-06-30 (about 2 years ago)
Added
2023-08-11 (about 2 years ago)
Last Updated
2023-08-11 (about 2 years ago)

Other

Published
Title
Published
2015-04-20
Title
P3 (Plugin Performance Profiler) <= 1.5.3.8 - Cross-Site Scripting (XSS)
Published
2026-01-16
Title
Team Section Block < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link
Published
2025-09-30
Title
WooCommerce Vehicle Parts Finder < 3.8 - Unauthenticated Stored Cross-Site Scripting
Published
2024-01-03
Title
PageLayer < 1.7.9 - Contributor+ Stored XSS
Published
2014-08-01
Title
Marekkis Watermark 0.9.2 - wp-admin/options-general.php pfad Parameter XSS