WordPress Plugin Vulnerabilities

SP Project & Document Manager < 4.68 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Affects Plugins

Plugin icon
sp-client-document-manager
Fixed in 4.68

References

CVE
CVE-2023-36677

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Le Ngoc Anh
Verified
No
WPVDB ID
ee5a2c74-4123-4058-b9ae-a7a90e3cede4

Timeline

Publicly Published
2023-06-30 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2025-08-14
Title
Quiz And Survey Master < 10.2.5 - Authenticated (Contributor+) SQL Injection
Published
2026-01-15
Title
WooCommerce Frontend Manager – Ultimate < 6.7.6 - Authenticated (Subscriber+) SQL Injection
Published
2022-05-11
Title
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
Published
2022-12-09
Title
LetsRecover < 1.2.0 - Admin+ SQLi
Published
2014-08-01
Title
BuddyPress 1.2.9 - SQL Injection