SP Project & Document Manager <= 4.71 – Subscriber+ File Download via IDOR | CVE 2024-3749 | Plugin Vulnerabilities

Description

The plugin lacks proper access controllers and allows a logged in user to view and download files belonging to another user

Proof of Concept

As a logged in user, send a GET request:

GET /wp-admin/admin-ajax.php?action=cdm_file_list&uid=3(CHANGE HERE)&pid=0(CHANGE HERE)&search=&_=1708406394720

You can view files and directories owned by other users by manipulating the `uid` and `pid` parameters

That information can then be leveraged to download the files.

Affects Plugins

sp-client-document-manager

No known fix

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

fewwords

Submitter

fewwords

Verified

Yes

WPVDB ID

d14bb16e-ce1d-4c31-8791-bc63174897c0

Timeline

Publicly Published

2024-04-24 (about 1 year ago)

Added

2024-04-24 (about 1 year ago)

Last Updated

2024-04-24 (about 1 year ago)

Other

Published

Title

Published

2024-09-06

Title

ForumWP – Forum & Discussion Board Plugin < 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Published

2025-02-23

Title

Amelia < 1.2.17 - Unauthenticated Insecure Direct Object Reference

Published

2025-11-18

Title

Eagle Booking <= 1.3.4.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2023-12-19

Title

WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes

Published

2026-01-07

Title

Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference