CVE-2021-4225

Name of the Vulnerable Software and Affected Versions SP Project & Document Manager WordPress plugin versions prior to 4.24

Description The issue allows any authenticated users to upload files, despite the plugin's attempt to prevent PHP and other executable files from being uploaded by checking the file extension. On Windows servers, the security checks are insufficient, enabling potential uploads of backdoors on vulnerable sites.

Recommendations For versions prior to 4.24, update to version 4.24 or later to resolve the issue. As a temporary workaround, consider restricting file uploads for authenticated users, such as subscribers, until the update is applied.