CVE-2021-4225
📋 TL;DR
The SP Project & Document Manager WordPress plugin before version 4.24 contains an insufficient file extension validation vulnerability on Windows servers. Any authenticated WordPress user (including low-privilege subscribers) can upload malicious files that bypass security checks, potentially leading to server compromise. This affects WordPress sites using vulnerable plugin versions on Windows hosting environments.
💻 Affected Systems
- SP Project & Document Manager WordPress Plugin
📦 What is this software?
Sp Project \& Document Manager by Smartypantsplugins
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload web shells or backdoors, gain full server control, execute arbitrary code, steal data, and maintain persistent access to the entire hosting environment.
Likely Case
Attackers upload PHP backdoors to vulnerable Windows servers, establish footholds for further exploitation, deface websites, or install malware.
If Mitigated
With proper file upload restrictions and server hardening, impact is limited to unsuccessful upload attempts or isolated file system access.
🎯 Exploit Status
Exploitation requires authenticated WordPress access. Multiple public proof-of-concept examples demonstrate the Windows file extension bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.24
Vendor Advisory: https://wpscan.com/vulnerability/bd1083d1-edcc-482e-a8a9-c8b6c8d417bd
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SP Project & Document Manager'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.24+ from WordPress repository. 6. Deactivate old plugin, upload new version via FTP, then activate.
🔧 Temporary Workarounds
Restrict File Uploads
allTemporarily disable file upload functionality for non-admin users via plugin settings or code modification.
Windows Server File Extension Blocking
windowsConfigure Windows IIS or server to block execution of files with double extensions or case variations.
# In IIS Manager: Request Filtering → Deny file extensions: .pHp, .pHP, .Php, .PHP5, .PHTML, etc.
🧯 If You Can't Patch
- Immediately disable the SP Project & Document Manager plugin until patching is possible.
- Implement web application firewall (WAF) rules to block suspicious file upload patterns and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → SP Project & Document Manager version. If version < 4.24 and running on Windows server, system is vulnerable.Check Version:
# In WordPress database: SELECT option_value FROM wp_options WHERE option_name = 'active_plugins'; # Or check plugin file headerVerify Fix Applied:
Confirm plugin version is 4.24 or higher in WordPress admin panel. Test file upload functionality with restricted extensions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts from single user
- Successful uploads of files with double extensions (.php.jpg)
- POST requests to /wp-content/plugins/sp-project-and-document-manager/upload.php
Network Indicators:
- Unusual file upload traffic patterns to plugin endpoints
- POST requests with suspicious file names containing PHP extensions
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/sp-project-and-document-manager/upload.php" OR file_extension="php" OR file_extension="phtml") AND http_method="POST"🔗 References
- https://github.com/pang0lin/CVEproject/blob/main/wordpress_SP-Project_fileupload.md
- https://wpscan.com/vulnerability/bd1083d1-edcc-482e-a8a9-c8b6c8d417bd
- https://github.com/pang0lin/CVEproject/blob/main/wordpress_SP-Project_fileupload.md
- https://wpscan.com/vulnerability/bd1083d1-edcc-482e-a8a9-c8b6c8d417bd
