Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-24347

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

Published

2021-06-14T14:15:08.200

Last Modified

2024-11-21T05:52:53.330

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-178
  • Type: Secondary
    CWE-178
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application smartypantsplugins sp_project_\&_document_manager < 4.22 Yes
References