cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-3749,https://securityvulnerability.io/vulnerability/CVE-2024-3749,Insecure File Access Vulnerability in SP Project & Document Manager WordPress Plugin,The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user,Wordpress,Sp Project & Document Manager,,,0.0004299999854993075,false,,false,false,true,true,false,false,2024-05-15T06:00:04.713Z,0
CVE-2024-3748,https://securityvulnerability.io/vulnerability/CVE-2024-3748,Plugin Vulnerability Allows Manipulation of User IDs,"The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user",Wordpress,Sp Project & Document Manager,,,0.0004299999854993075,false,,false,false,true,true,false,false,2024-05-15T06:00:04.491Z,0
CVE-2024-1693,https://securityvulnerability.io/vulnerability/CVE-2024-1693,Unauthorized Modification of Data Vulnerability in SP Project & Document Manager Plugin for WordPress,"The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them.",Wordpress,Sp Project & Document Manager,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-14T14:48:00.000Z,0
CVE-2023-3063,https://securityvulnerability.io/vulnerability/CVE-2023-3063,Insecure Direct Object References in SP Project & Document Manager Plugin for WordPress,"The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References, allowing authenticated attackers with subscriber privileges or higher to manipulate user-controlled access to sensitive objects. This vulnerability enables them to bypass authorization mechanisms, leading to unauthorized password changes and possible administrative account takeovers. Users are urged to update to the latest version to mitigate risks.",Wordpress,Sp Project & Document Manager,8.8,HIGH,0.0004400000034365803,false,,false,false,false,,false,false,2023-06-30T02:15:00.000Z,0
CVE-2022-34857,https://securityvulnerability.io/vulnerability/CVE-2022-34857,WordPress SP Project & Document Manager plugin <= 4.59 - Reflected Cross-Site Scripting (XSS) vulnerability,Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress,Wordpress,Sp Project & Document Manager (WordPress Plugin),6.1,MEDIUM,0.0006099999882280827,false,,false,false,false,,false,false,2022-08-22T15:15:00.000Z,0
CVE-2022-1551,https://securityvulnerability.io/vulnerability/CVE-2022-1551,SP Project & Document Manager < 4.58 - Sensitive File Disclosure,"The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.",Wordpress,Sp Project & Document Manager,6.5,MEDIUM,0.0008500000112690032,false,,false,false,false,,false,false,2022-07-25T12:46:15.000Z,0
CVE-2021-4225,https://securityvulnerability.io/vulnerability/CVE-2021-4225,SP Project & Document Manager < 4.24 - Subscriber+ Shell Upload,"The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.",Wordpress,Sp Project & Document Manager,8.8,HIGH,0.0015699999639764428,false,,false,false,false,,false,false,2022-04-25T15:50:53.000Z,0
CVE-2021-38315,https://securityvulnerability.io/vulnerability/CVE-2021-38315,SP Project & Document Manager <= 4.25 Reflected Cross-Site Scripting,"The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.",Wordpress,Sp Project & Document Manager,6.1,MEDIUM,0.0007399999885819852,false,,false,false,false,,false,false,2021-08-16T00:00:00.000Z,0
CVE-2021-24347,https://securityvulnerability.io/vulnerability/CVE-2021-24347,SP Project & Document Manager <2 4.22 - Authenticated Shell Upload,"The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from ""php"" to ""pHP"".",Wordpress,Sp Project & Document Manager,8.8,HIGH,0.9729999899864197,false,,false,false,true,true,false,false,2021-06-14T13:37:12.000Z,0
CVE-2014-9178,https://securityvulnerability.io/vulnerability/CVE-2014-9178,,"Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.",Wordpress,Sp Project \& Document Manager,,,0.001509999972768128,false,,false,false,false,,false,false,2014-12-02T16:00:00.000Z,0