CVE-2021-24347
📋 TL;DR
This vulnerability allows authenticated users to upload malicious PHP files by changing the file extension case (e.g., 'php' to 'pHP'), bypassing the plugin's file type validation. It affects WordPress sites running the SP Project & Document Manager plugin, potentially leading to remote code execution. Attackers could gain full control of affected websites.
💻 Affected Systems
- WordPress SP Project & Document Manager plugin
📦 What is this software?
Sp Project \& Document Manager by Smartypantsplugins
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website takeover through webshell upload, leading to data theft, malware distribution, or use as part of a botnet.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and server hardening in place.
🎯 Exploit Status
Exploit requires authenticated user access. Multiple public exploit scripts and detailed write-ups are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.22 and later
Vendor Advisory: https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'SP Project & Document Manager'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.22+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate sp-client-document-manager
Restrict file uploads
linuxBlock PHP file uploads at web server level
# In Apache .htaccess: <FilesMatch "\.(?i:php|php3|php4|php5|phtml|phps)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# In Nginx: location ~* \.(php|php3|php4|php5|phtml|phps)$ {
deny all;
}
🧯 If You Can't Patch
- Remove plugin completely from production systems
- Implement strict file upload validation at application layer
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is below 4.22, system is vulnerable.Check Version:
wp plugin get sp-client-document-manager --field=versionVerify Fix Applied:
Confirm plugin version is 4.22 or higher. Test file upload functionality with case-varied PHP extensions.📡 Detection & Monitoring
Log Indicators:
- File uploads with case-varied PHP extensions (pHP, PhP, etc.)
- Unauthorized file writes to upload directories
- Webshell access patterns in access logs
Network Indicators:
- POST requests to upload endpoints with PHP files
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND (uri_path="*/wp-content/plugins/sp-client-document-manager/*" AND method="POST") AND (file_extension="*[Pp][Hh][Pp]" OR user_agent="*curl*" OR user_agent="*wget*")🔗 References
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
- http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
- http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
