Vulnerability Description
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Smartypantsplugins | Sp Project \& Document Manager | < 4.22 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-MaExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-ReExploitThird Party AdvisoryVDB Entry
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45aExploitThird Party Advisory
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-MaExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-ReExploitThird Party AdvisoryVDB Entry
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45aExploitThird Party Advisory
FAQ
What is CVE-2021-24347?
CVE-2021-24347 is a vulnerability with a CVSS score of 8.8 (HIGH). The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server fr...
How severe is CVE-2021-24347?
CVE-2021-24347 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24347?
Check the references section above for vendor advisories and patch information. Affected products include: Smartypantsplugins Sp Project \& Document Manager.