CVE-2024-31118
Missing Authorization in Smartypants SP Project & Document Manager
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | sp_project_document_manager | to 4.70 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-31118 is a medium priority Broken Access Control vulnerability in the WordPress SP Project & Document Manager Plugin up to version 4.70.
The issue is caused by missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users to perform actions that should be restricted to higher privileged roles.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized access or modification of sensitive project and document data.
Because exploitation requires interaction by a privileged user, attackers might trick such users into performing actions that compromise the security of the system.
The CVSS score of 6.5 indicates a moderate severity with a significant likelihood of exploitation, which could result in confidentiality, integrity, and availability impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from missing authorization and authentication checks in certain functions of the SP Project & Document Manager plugin, allowing unprivileged users to perform privileged actions.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for unusual access patterns or actions performed by users with Subscriber or Developer roles that should require higher privileges.'}, {'type': 'paragraph', 'content': "Since the vulnerability requires user interaction such as clicking a malicious link or submitting a crafted form, network detection could focus on identifying suspicious HTTP requests targeting the plugin's endpoints."}, {'type': 'list_item', 'content': 'Use web server logs to search for unusual POST or GET requests to the SP Project & Document Manager plugin URLs.'}, {'type': 'list_item', 'content': 'Monitor user activity logs for privilege escalation attempts or actions performed by low-privilege users that normally require higher privileges.'}, {'type': 'list_item', 'content': "Commands such as 'grep' on web server logs to find requests containing suspicious parameters or paths related to the plugin can be helpful."}, {'type': 'list_item', 'content': "Example command: grep -i 'sp-project-document-manager' /var/log/apache2/access.log"}] [1]
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this vulnerability.
Patchstack has issued a mitigation rule to block attacks targeting this flaw.
Users are advised to apply this mitigation immediately to protect their websites.
Additionally, restrict user roles and privileges to minimize exposure, especially limiting Subscriber or Developer roles from performing sensitive actions.
Monitor and audit user activities closely to detect any exploitation attempts.